CVE-2019-12209

Name of the Vulnerable Software and Affected Versions Yubico pam-u2f version 1.0.7

Description The issue is related to the parsing of the configured authfile by Yubico pam-u2f. It does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information. The vulnerability may allow a remote attacker to disclose protected information.

Recommendations For Yubico pam-u2f version 1.0.7, consider disabling the debug option in the PAM configuration to prevent potential logging of sensitive information. Additionally, restrict access to the authfile and ensure that the path to the authfile does not contain symlinks pointing to other files on the system owned by root. At the moment, there is no information about a newer version that contains a fix for this vulnerability.