Bug 1901094 (CVE-2020-27780)
Summary: | CVE-2020-27780 pam: authentication bypass when the user doesn't exist and root password is blank | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | besser82, ipedrosa, pbrezina, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pam 1.5.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Linux-PAM in the way it handles empty passwords for non-existing users. When the user doesn't exist, PAM tries to authenticate with root and with an empty password, authentication is successful. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-24 17:34:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1901173 | ||
Bug Blocks: | 1900800 |
Description
Guilherme de Almeida Suckevicz
2020-11-24 13:41:15 UTC
Introduced in version 1.5.0. Created pam tracking bugs for this issue: Affects: fedora-all [bug 1901173] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27780 |