CVE-2020-13881
published 2020-06-06CVE-2020-13881: In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.67%
73.9th percentile
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arista | cloudvision_portal | < 2020.1.2 | 2020.1.2 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| pam_tacplus_project | pam_tacplus | 1.3.8 – 1.5.1 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gm22-vmf2-hwxg: In support
ghsa_unreviewed·2022-05-24
CVE-2020-13881 [MEDIUM] CWE-532 GHSA-gm22-vmf2-hwxg: In support
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
OSV
CVE-2020-13881: In support
osv·2020-06-06·CVSS 7.5
CVE-2020-13881 [HIGH] CVE-2020-13881: In support
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
Ubuntu
pam_tacplus vulnerability
vendor_ubuntu·2020-09-21
CVE-2020-13881 pam_tacplus vulnerability
Title: pam_tacplus vulnerability
Summary: pam_tacplus could be made to expose sensitive information.
It was discovered that pam_tacplus did not properly manage shared secrets
if DEBUG loglevel and journald are used. A remote attacker could use this
issue to expose sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2020/06/08/1https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0https://github.com/kravietz/pam_tacplus/issues/149https://lists.debian.org/debian-lts-announce/2020/06/msg00007.htmlhttps://lists.debian.org/debian-lts-announce/2021/08/msg00006.htmlhttps://usn.ubuntu.com/4521-1/https://www.arista.com/en/support/advisories-notices/security-advisories/11705-security-advisory-50http://www.openwall.com/lists/oss-security/2020/06/08/1https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0https://github.com/kravietz/pam_tacplus/issues/149https://lists.debian.org/debian-lts-announce/2020/06/msg00007.htmlhttps://lists.debian.org/debian-lts-announce/2021/08/msg00006.htmlhttps://usn.ubuntu.com/4521-1/https://www.arista.com/en/support/advisories-notices/security-advisories/11705-security-advisory-50
2020-06-06
Published