CVE-2019-12210
Last modified
CVE-2019-12210 is a vulnerability of currently unknown severity. In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. EPSS estimates a 1.87% chance of exploitation in the next 30 days.
Description
In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.
Metrics
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Yubico | Pam-U2f | 1.0.7 |
References
- http://www.openwall.com/lists/oss-security/2019/06/05/1Exploit, Mailing List, Third Party Advisory
- https://developers.yubico.com/pam-u2f/Release_Notes.htmlRelease Notes, Vendor Advisory
- https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62Patch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/06/05/1Exploit, Mailing List, Third Party Advisory
- https://developers.yubico.com/pam-u2f/Release_Notes.htmlRelease Notes, Vendor Advisory
- https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-12210?
How severe is CVE-2019-12210?
How do I fix CVE-2019-12210?
Are you affected by CVE-2019-12210?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST