Vulnerability Description
In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yubico | Yubico Pam | >= 2.18, <= 2.25 |
Related Weaknesses (CWE)
References
- https://bugzilla.opensuse.org/show_bug.cgi?id=1088027Issue TrackingThird Party Advisory
- https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c26560Patch
- https://github.com/Yubico/yubico-pam/issues/136Issue TrackingThird Party Advisory
- https://bugzilla.opensuse.org/show_bug.cgi?id=1088027Issue TrackingThird Party Advisory
- https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c26560Patch
- https://github.com/Yubico/yubico-pam/issues/136Issue TrackingThird Party Advisory
FAQ
What is CVE-2018-9275?
CVE-2018-9275 is a vulnerability with a CVSS score of 8.2 (HIGH). In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosur...
How severe is CVE-2018-9275?
CVE-2018-9275 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-9275?
Check the references section above for vendor advisories and patch information. Affected products include: Yubico Yubico Pam.