CVE-2015-3238

Public on 2015-08-24
Modified on 2015-09-02
Description
It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive. An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system.
Severity
Medium severity
Medium
CVSS v3 Base Score
6.4
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 pam 2015-09-02 ALAS-2015-589 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P
NVD CVSSv2 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P
NVD CVSSv3 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L