CVE-2018-9275

HIGH

Yubico Pam < 2.25 - Information Disclosure

Title source: rule

Description

In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).

References (3)

Core 3

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.opensuse.org/show_bug.cgi?id=1088027

Patch x_refsource_confirm

https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba

View Patch ZIP pw:eip

Issue Tracking, Third Party Advisory x_refsource_confirm

https://github.com/Yubico/yubico-pam/issues/136

Scores

CVSS v3 8.2

EPSS 0.0049

EPSS Percentile 65.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Details

CWE

CWE-200

Status published

Products (1)

yubico/yubico_pam 2.18 - 2.25

Published Apr 04, 2018

Tracked Since Feb 18, 2026