Pam_Access Vulnerability: Bypassing Access Restrictions through Token Manipulation

CVE-2024-10963

7.4HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Openshift Container Platform 4
Vendor: CVE Published:; 7 November 2024

Summary

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 6.5 to: 7.4 - (HIGH)
Nov 8, 2024
Risk change from: null to: 6.5 - (MEDIUM)
Nov 7, 2024
Reported to Red Hat.
Nov 7, 2024
Vulnerability Reserved.
Nov 7, 2024
Vulnerability published.
Nov 7, 2024

Collectors

NVD DatabaseMitre Database