Rapid7 Vulnerability & Exploit Database

SUSE: CVE-2019-12209: SUSE Linux Security Advisory

Back to Search

SUSE: CVE-2019-12209: SUSE Linux Security Advisory

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
06/04/2019
Created
07/06/2019
Added
07/05/2019
Modified
10/22/2021

Description

Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.

Solution(s)

  • suse-upgrade-libu2f-host-devel
  • suse-upgrade-libu2f-host-doc
  • suse-upgrade-libu2f-host0
  • suse-upgrade-pam_u2f
  • suse-upgrade-u2f-host

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;