Vulnerability Description
Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux-Pam | Linux-Pam | 1.1.8 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/57317Vendor Advisory
- http://www.openwall.com/lists/oss-security/2014/03/24/5
- http://www.openwall.com/lists/oss-security/2014/03/26/10
- http://www.openwall.com/lists/oss-security/2014/03/31/6
- http://www.securityfocus.com/bid/66493
- http://www.ubuntu.com/usn/USN-2935-1
- http://www.ubuntu.com/usn/USN-2935-2
- http://www.ubuntu.com/usn/USN-2935-3
- https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=Linux-PAM-1_1_8-32-g9ExploitPatch
- https://security.gentoo.org/glsa/201605-05
- http://secunia.com/advisories/57317Vendor Advisory
- http://www.openwall.com/lists/oss-security/2014/03/24/5
- http://www.openwall.com/lists/oss-security/2014/03/26/10
- http://www.openwall.com/lists/oss-security/2014/03/31/6
- http://www.securityfocus.com/bid/66493
FAQ
What is CVE-2014-2583?
CVE-2014-2583 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication ...
How severe is CVE-2014-2583?
CVE-2014-2583 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-2583?
Check the references section above for vendor advisories and patch information. Affected products include: Linux-Pam Linux-Pam.