CVE-2014-3879

critical

Description

OpenPAM Nummularia 9.2 through 10.0 does not properly handle the error reported when an include directive refers to a policy that does not exist, which causes the loaded policy chain to no be discarded and allows context-dependent attackers to bypass authentication via a login (1) without a password or (2) with an incorrect password.

References

http://www.securitytracker.com/id/1030330

http://www.securityfocus.com/bid/67808

http://www.openpam.org/browser/openpam/trunk/HISTORY

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:13.pam.asc

Details

Source: Mitre, NVD

Published: 2020-02-18

Updated: 2020-02-27

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical