CVE-2020-13881Log File Information Exposure in Tacplus Project PAM Tacplus

CWE-532Log File Information Exposure5 documents5 sources
Severity
7.5HIGHNVD
EPSS
1.2%
top 20.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Arista Cloudvision PortalPAM Tacplus Project PAM TacplusCanonical Ubuntu Linux+1 more
Timeline
PublishedJun 6
Latest updateMay 24

Description

In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDpam_tacplus_project/pam_tacplus1.3.81.5.1

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 16.04, 18.04, 20.04

Patches

Patch: www.openwall.comPatch: github.comPatch: www.openwall.com

🔴Vulnerability Details

3
GHSA
GHSA-gm22-vmf2-hwxg: In support2022-05-24
OSV
CVE-2020-13881: In support2020-06-06
CVEList
CVE-2020-13881: In support2020-06-06

📋Vendor Advisories

1
Ubuntu
pam_tacplus vulnerability2020-09-21
CVE-2020-13881 — Log File Information Exposure | cvebase