3 results (0.004 seconds)

CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0

pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. pam_krb5 v2.2.14 a v2.3.4, tal como se usa Red Hat Enterprise Linux (RHEL) 5, genera diferentes peticiones de contraseña dependiendo de si existe la cuenta de usuario, lo que permite a atacantes remotos enumerar los nombres de usuario válidos. • http://osvdb.org/54791 http://secunia.com/advisories/35230 http://secunia.com/advisories/43314 http://www.mandriva.com/security/advisories?name=MDVSA-2010:054 http://www.openwall.com/lists/oss-security/2009/05/27/1 http://www.securityfocus.com/archive/1/516397/100/0/threaded http://www.securityfocus.com/bid/35112 http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vupen.com/english/advisories/2009/1448 https://bugzilla.redhat.com/show_bug.cgi? • CWE-287: Improper Authentication •

CVSS: 6.2EPSS: 0%CPEs: 20EXPL: 1

Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application. Russ Allbery pam-krb5 versiones anteriores a v3.13, cuando es enlazado a través de MIT Kerberos, no inicializa correctamente las librerías Kerberos al usarlas en la fijación de propietario, permitiendo a usuarios locales obtener privilegios al apuntar una variable de entorno a un fichero de configuración de Kerberos modificado, y después llamando a una aplicación de fijación de propietario basada en PAM. • https://www.exploit-db.com/exploits/8303 http://secunia.com/advisories/33914 http://secunia.com/advisories/33917 http://secunia.com/advisories/34260 http://secunia.com/advisories/34449 http://security.gentoo.org/glsa/glsa-200903-39.xml http://securitytracker.com/id?1021711 http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1 http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm http://www.debian.org/security/2009/dsa-1721 http://www.eyrie.org/& • CWE-287: Improper Authentication •

CVSS: 4.6EPSS: 0%CPEs: 13EXPL: 0

Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations. Russ Allbery pam-krb5 versiones anteriores a v3.13, como el usado por libpam-heimdal, el comando "su" en Solaris 10, y otros programas, no gestiona correctamente las peticiones a "pam_setcred" al ejecutar "setuid", permitiendo a usuarios locales sobreescribir y cambiar los propietarios de los ficheros que elijan al asignarle un valor a la variable de entorno "KRB5CCNAME", y después invocar la aplicación setuid que efectúa ciertas operaciones "pam_setcred". • http://secunia.com/advisories/33914 http://secunia.com/advisories/33917 http://secunia.com/advisories/33918 http://secunia.com/advisories/34260 http://secunia.com/advisories/34449 http://security.gentoo.org/glsa/glsa-200903-39.xml http://securitytracker.com/id?1021711 http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1 http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm http://www.debian.org/security/2009/dsa-1721 http://www.debian.org/security/ • CWE-264: Permissions, Privileges, and Access Controls •