CVE-2024-47191

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions: oath-toolkit versions 2.6.7 through 2.6.11

Description: The issue is related to a local root exploit in the PAM module pam oath.so of the oath-toolkit. It allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. This vulnerability can be exploited by an attacker to gain root access to the system.

Recommendations: For oath-toolkit versions 2.6.7 through 2.6.11, update to version 2.6.12 or later to mitigate the risk of root privilege escalation. As a temporary workaround, consider disabling the pam oath.so module until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the usersfile access in the affected PAM module until the issue is resolved.

Fix

Race Condition

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-59CWE-22

Related Identifiers

AZL-50121

AZL-50124

BDU:2024-07876

CVE-2024-47191

DSA-5784-1

MGASA-2024-0335

OPENSUSE-SU-2024:14389-1

RHSA-2025:3635

RHSA-2025:4238

RHSA-2025:4664

RHSA-2025:9775

USN-7059-1

USN-7059-2

Affected Products

Astra Linux

Linuxmint

Ubuntu

Oath Toolkit

CVE-2024-47191

Weakness Enumeration

Related Identifiers

Affected Products

References · 84