[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247974

 
 

909

 
 

194654

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2009-0361Date: (C)2009-02-13   (M)2023-12-22


Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.6
Exploit Score: 3.9
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
SECTRACK-1021711
http://www.securityfocus.com/archive/1/500892/100/0/threaded
SUNALERT-252767
BID-33741
SECUNIA-33914
SECUNIA-33917
SECUNIA-33918
SECUNIA-34260
SECUNIA-34449
ADV-2009-0410
ADV-2009-0426
ADV-2009-0979
DSA-1721
DSA-1722
GLSA-200903-39
USN-719-1
http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
oval:org.mitre.oval:def:5403
oval:org.mitre.oval:def:5521

CWE    1
CWE-264
OVAL    5
oval:org.mitre.oval:def:8163
oval:org.mitre.oval:def:8149
oval:org.secpod.oval:def:700376
oval:org.secpod.oval:def:600457
...

© SecPod Technologies