RHSA-2015:1640

Affecting pam package, versions <0:1.1.8-12.el7_1.1

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

Overview

Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs to handle authentication. It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive. An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system. (CVE-2015-3238) Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs for reporting this issue. All pam users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

CVE
RHSA-2015:1640
Snyk ID
SNYK-CENTOS7-PAM-322835
Published
27 Jun, 2018