Debian Pam vulnerabilities

CVE-2025-8941 [HIGH] CVE-2025-8941: pam - A flaw was found in linux-pam. The pam_namespace module may improperly handle us... A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020. Scope: local bookworm: undetermined bullseye: undetermined forky: undetermined sid: undetermined trixie: undetermi

CVE-2025-6020 [HIGH] CVE-2025-6020: pam - A flaw was found in linux-pam. The module pam_namespace may use access user-cont... A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. Scope: local bookworm: resolved (fixed in 1.5.2-6+deb12u2) bullseye: resolved (fixed in 1.4.0-9+deb11u2) forky: resolved (fixed in 1.7.0-5) sid: re

CVE-2025-6018 [HIGH] CVE-2025-6018: pam - A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-conf... A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perf

CVE-2024-10041 [MEDIUM] CVE-2024-10041: pam - A vulnerability was found in PAM. The secret information is stored in memory, wh... A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow

CVE-2024-22365 [MEDIUM] CVE-2024-22365: pam - linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of ser... linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. Scope: local bookworm: resolved (fixed in 1.5.2-6+deb12u2) bullseye: resolved (fixed in 1.4.0-9+deb11u2) forky: resolved (fixed in 1.5.3-4) sid: resolved (fixed in 1.5.3-4) trixie: resolved

CVE-2024-10963 [HIGH] CVE-2024-10963: pam - A flaw was found in pam_access, where certain rules in its configuration file ar... A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals. Scope: local

CVE-2022-28321 [CRITICAL] CVE-2022-28321: pam - The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentica... The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largel

CVE-2020-27780 [CRITICAL] CVE-2020-27780: pam - A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle em... A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-36394 [HIGH] CVE-2020-36394: pam - pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux-PAM allows... pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux-PAM allows local attackers to set their quota on an arbitrary filesystem, in certain situations where the attacker's home directory is a FUSE filesystem mounted under /home. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2018-17953 [HIGH] CVE-2018-17953: pam - A incorrect variable in a SUSE specific patch for pam_access rule matching in PA... A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open). Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-3238 [MEDIUM] CVE-2015-3238: pam - The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pa... The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password. Scope: local bookworm: resolved (fixed in 1.1.8-3.2) bullseye: resolved (fixed in 1.1.8-3.2) forky: resolved (fixed in 1.1.8-3.2) sid

CVE-2014-2583 [MEDIUM] CVE-2014-2583: pam - Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_times... Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function.

CVE-2013-7041 [MEDIUM] CVE-2013-7041: pam - The pam_userdb module for Pam uses a case-insensitive method to compare hashed p... The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack. Scope: local bookworm: resolved (fixed in 1.1.8-3.1) bullseye: resolved (fixed in 1.1.8-3.1) forky: resolved (fixed in 1.1.8-3.1) sid: resolved (fixed in 1.1.8-3.1) trixie: resolved (fixed in 1.1.8-

CVE-2011-3148 [MEDIUM] CVE-2011-3148: pam - Stack-based buffer overflow in the _assemble_line function in modules/pam_env/pa... Stack-based buffer overflow in the _assemble_line function in modules/pam_env/pam_env.c in Linux-PAM (aka pam) before 1.1.5 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long string of white spaces at the beginning of the ~/.pam_environment file. Scope: local bookworm: resolved (fixed in 1.1.3-5) bullseye: resolved (fi

CVE-2011-3149 [LOW] CVE-2011-3149: pam - The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c) in Li... The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c) in Linux-PAM (aka pam) before 1.1.5 does not properly handle when environment variable expansion can overflow, which allows local users to cause a denial of service (CPU consumption). Scope: local bookworm: resolved (fixed in 1.1.3-5) bullseye: resolved (fixed in 1.1.3-5) forky: resolved (fixed in 1

CVE-2011-3628 [MEDIUM] CVE-2011-3628: pam - Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-... Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, when using certain configurations such as "session optional pam_m

CVE-2010-3430 [MEDIUM] CVE-2010-3430: pam - The privilege-dropping implementation in the (1) pam_env and (2) pam_mail module... The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not perform the required setfsgid and setgroups system calls, which might allow local users to obtain sensitive information by leveraging unintended group permissions, as demonstrated by a symlink attack on the .pam_environment file in a user's home direct

CVE-2010-3435 [MEDIUM] CVE-2010-3435: pam - The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use... The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directo

CVE-2010-4706 [MEDIUM] CVE-2010-4706: pam - The pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linu... The pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not properly handle a failure to determine a certain target uid, which might allow local users to delete unintended files by executing a program that relies on the pam_xauth PAM check. Scope: local bookworm: resolved (fixed in 1.1.3-1) bullseye: resolve

CVE-2010-4707 [MEDIUM] CVE-2010-4707: pam - The check_acl function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka ... The check_acl function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain ACL file is a regular file, which might allow local users to cause a denial of service (resource consumption) via a special file. Scope: local bookworm: resolved (fixed in 1.1.3-1) bullseye: resolved (fixed in 1.1.3-1) forky: resolved (fi