CVE-2024-10963

Publication date 7 November 2024

Last updated 19 November 2024


Ubuntu priority

Cvss 3 Severity Score

7.4 · High

Score breakdown

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

Read the notes from the security team

Status

Package Ubuntu Release Status
pam 24.10 oracular
Vulnerable, fix deferred
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred
16.04 LTS xenial
Vulnerable, fix deferred
14.04 LTS trusty Ignored end of ESM support, was deferred [2024-11-19]

Notes


mdeslaur

as of 2024-11-19, the proposed fix has not been added to the upstream tree yet

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
pam

Severity score breakdown

Parameter Value
Base score 7.4 · High
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N