PT-2020-16800 · Linux+1 · Linux-Pam+1

Guilherme De Almeida Suckevicz

Published

2020-11-25

Updated

2024-06-15

CVE-2020-27780

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Linux-Pam versions prior to 1.5.1

Description A flaw was found in the way Linux-Pam handles empty passwords for non-existing users. When the user does not exist, PAM attempts to authenticate with root, and in the case of an empty password, it successfully authenticates.

Recommendations For versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider restricting the authentication mechanism to prevent empty passwords from being used.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALT-PU-2020-3418

CVE-2020-27780

OPENSUSE-SU-2024:11140-1

Affected Products

Alt Linux

Linux-Pam

PT-2020-16800 · Linux+1 · Linux-Pam+1

CVE-2020-27780

Weakness Enumeration

Related Identifiers

Affected Products

References · 9