// For flags

CVE-2018-9275

 

Severity Score

8.2
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).

En check_user_token en util.c en el módulo Yubico PAM (también conocido como pam_yubico), de la versión 2.18 hasta la 2.25, los inicios de sesión exitosos pueden filtrar descriptores de archivo al archivo de mapeo auth. Esto puede conducir a una divulgación de información (número de serie de un dispositivo) y/o una denegación de servicio (alcance del número máximo de descriptores de archivo).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-04-04 CVE Reserved
  • 2018-04-04 CVE Published
  • 2024-09-17 CVE Updated
  • 2024-09-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Yubico
Search vendor "Yubico"
 Yubico Pam
Search vendor "Yubico" for product "Yubico Pam"
 >= 2.18 <= 2.25
Search vendor "Yubico" for product "Yubico Pam" and version " >= 2.18 <= 2.25"
yubico
Affected