CVE-2009-1384

Eyrie Pam-krb5 - Authentication Bypass

Title source: rule

Description

pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

References (12)

[Third Party Advisory, VDB Entry] http://osvdb.org/54791

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2010:054

[Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=502602

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7081

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9652

[Vendor Advisory] http://www.vmware.com/security/advisories/VMSA-2011-0003.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/516397/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/35112

[Mailing List] http://www.openwall.com/lists/oss-security/2009/05/27/1

[Third Party Advisory] http://secunia.com/advisories/35230

[Third Party Advisory] http://secunia.com/advisories/43314

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1448

Scores

EPSS 0.0177

EPSS Percentile 82.5%

Classification

CWE

CWE-287

Status draft

Affected Products (3)

eyrie/pam-krb5

Timeline

Published May 28, 2009

Tracked Since Feb 18, 2026