CVE-2024-10963 — Improper Authentication in PAM

CWE-287 — Improper Authentication7 documents7 sources

Severity

7.4HIGHNVD

EPSS

0.6%

top 31.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PAM Debian PAM Msrc Azl3 PAM 1.5.3-3 ON Azure Linux 3.0 +4 more

Timeline

PublishedNov 7

Latest updateSep 22

Description

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages7 packages

▶debiandebian/pam< pam 1.7.0-5 (forky)

▶Debianpam/pam< 1.7.0-5+1

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

▶msrcmsrc/azl3_pam_1.5.3-3_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2024-10963: A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames↗2024-11-07

▶

GHSA

GHSA-rw99-6hrh-fmjr: A vulnerability was found in pam_access due to the improper handling of tokens in access↗2024-11-07

▶

📋Vendor Advisories

Ubuntu

PAM vulnerability↗2025-09-22

▶

Microsoft

Pam: improper hostname interpretation in pam_access leads to access control bypass↗2024-11-12

▶

Red Hat

pam: Improper Hostname Interpretation in pam_access Leads to Access Control Bypass↗2024-11-07

▶

Debian

CVE-2024-10963: pam - A flaw was found in pam_access, where certain rules in its configuration file ar...↗2024

▶