CVE-2017-12197 — Incorrect Authorization in Project Libpam4j

CWE-863 — Incorrect Authorization CWE-20 — Improper Input Validation9 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 33.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libpam4j Project Libpam4j RED HAT INC Libpam4j Debian Linux +34 more

Timeline

PublishedJan 18

Latest updateMay 13

Description

It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages36 packages

▶jenkinsjenkins/ids_to_allow_users_configuring_the_plugin

▶Ubuntulibpam4j_project/libpam4j< 1.4-2+deb8u1build0.14.04.1+1

▶NVDlibpam4j_project/libpam4j1.8

▶CVEListV5red_hat_inc/libpam4jup to and including 1.8

▶jenkinsjenkins/read_access_to_jenkins_to_change_the_plugin

Also affects: Debian Linux 7.0, 8.0, 9.0, Enterprise Linux 6.0

🔴Vulnerability Details

GHSA

Improper Input Validation in libpam4j↗2022-05-13

▶

OSV

Improper Input Validation in libpam4j↗2022-05-13

▶

OSV

CVE-2017-12197: It was found that libpam4j up to and including 1↗2018-01-18

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2018-09-25↗2018-09-25

▶

Red Hat

libpam4j: Account check bypass↗2017-10-17

▶

💬Community

Bugzilla

CVE-2017-12197 jenkins-pam-auth-plugin: libpam4j: Account check bypass [fedora-all]↗2018-10-15

▶

Bugzilla

CVE-2017-12197 libpam4j: Account check bypass [fedora-all]↗2017-11-09

▶

Bugzilla

CVE-2017-12197 libpam4j: Account check bypass↗2017-10-17

▶