Executive Summary
| Summary | |
|---|---|
| Title | New mod-auth-shadow packages fix password expiration checking |
| Informations | |||
|---|---|---|---|
| Name | DSA-421 | First vendor Publication | 2004-01-12 |
| Vendor | Debian | Last vendor Modification | 2004-01-12 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| David B Harris discovered a problem with mod-auth-shadow, an Apache module which authenticates users against the system shadow password database, where the expiration status of the user's account and password were not enforced. This vulnerability would allow an otherwise authorized user to successfully authenticate, when the attempt should be rejected due to the expiration parameters. For the current stable distribution (woody) this problem has been fixed in version 1.3-3.1woody.1 For the unstable distribution (sid) this problem has been fixed in version 1.4-1. We recommend that you update your mod-auth-shadow package. |
Original Source
| Url : http://www.debian.org/security/2004/dsa-421 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 5 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 421-1 (mod-auth-shadow) File : nvt/deb_421_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 3454 | mod_auth_shadow Account Expiry Date Not Enforced mod_auth_shadow contains a flaw that may allow a malicious user to log in with an expired account. The issue is triggered because mod_auth_shadow doesn't check for account expiration. It is possible that the flaw may allow an attacker to log in with an expired account resulting in a loss of confidentiality, integrity, and/or availability. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-421.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:33:01 |
|
