CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-20014
https://notcve.org/view.php?id=CVE-2016-20014
21 Apr 2022 — In pam_tacplus.c in pam_tacplus before 1.4.1, pam_sm_acct_mgmt does not zero out the arep data structure. En el archivo pam_tacplus.c en pam_tacplus versiones anteriores a 1.4.1, la función pam_sm_acct_mgmt no pone a cero la estructura de datos arep • https://github.com/kravietz/pam_tacplus/commit/e4c00eba70a0f72c4de77b5f072c69708ec2beab •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27743
https://notcve.org/view.php?id=CVE-2020-27743
26 Oct 2020 — libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id. libtac en pam_tacplus versiones hasta 1.5.1, carece de una comprobación para un fallo de las funciones RAND_bytes()/RAND_pseudo_bytes(). Esto podría conllevar al uso de un session_id no aleatorio y predecible • https://github.com/kravietz/pam_tacplus/pull/163 • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-13881 – Ubuntu Security Notice USN-4521-1
https://notcve.org/view.php?id=CVE-2020-13881
06 Jun 2020 — In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used. En el archivo support.c en pam_tacplus versiones 1.3.8 hasta 1.5.1, el secreto compartido TACACS+ es registrado por medio de syslog si el nivel de registro DEBUG y journald son usados It was discovered that pam_tacplus did not properly manage shared secrets if DEBUG loglevel and journald are used. A remote attacker could use this issue to expose sensitive information... • http://www.openwall.com/lists/oss-security/2020/06/08/1 • CWE-532: Insertion of Sensitive Information into Log File •