CVE-2005-2977 — Improper Control of Interaction Frequency in PAM

7 documents6 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 77.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PAM Debian PAM

Timeline

PublishedNov 1

Latest updateMay 1

Description

The SELinux version of PAM before 0.78 r3 allows local users to perform brute force password guessing attacks via unix_chkpwd, which does not log failed guesses or delay its responses.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/pam< pam 0.99.7.1-2 (bookworm)

▶Debianpam/pam< 0.99.7.1-2+3

▶NVDpam/pam0.80

Patches

Patch: secunia.com ↗Patch: www.gentoo.org ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-9fch-jjp9-h24r: The SELinux version of PAM before 0↗2022-05-01

▶

OSV

CVE-2005-2977: The SELinux version of PAM before 0↗2005-11-01

▶

📋Vendor Advisories

Red Hat

security flaw↗2005-10-26

▶

Debian

CVE-2005-2977: pam - The SELinux version of PAM before 0.78 r3 allows local users to perform brute fo...↗2005

▶

💬Community

Bugzilla

CVE-2005-2977 security flaw↗2018-08-16

▶

Bugzilla

CVE-2005-2977 unix_chkpwd helper doesn't verify requesting user if SELinux is enabled↗2005-09-13

▶