National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-1384 Detail

Description

pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

Source:  MITRE      Last Modified:  05/28/2009

Quick Info

CVE Dictionary Entry:
CVE-2009-1384
Original release date:
05/28/2009
Last revised:
09/28/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
5.0 MEDIUM
Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/31/2010)

This issue did not affect the versions of the pam_krb5 packages, as shipped with Red Hat Enterprise Linux 3 and 4. The issue was addressed in the pam_krb5 packages as shipped with Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0258.html

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://www.mandriva.com/security/advisories?name=MDVSA-2010:054 External Source MANDRIVA MDVSA-2010:054
http://www.openwall.com/lists/oss-security/2009/05/27/1 External Source MLIST [oss-security] 20090527 CVE assignment notification (pam_krb5 CVE-2009-1384)
http://www.securityfocus.com/archive/1/archive/1/516397/100/0/threaded External Source BUGTRAQ 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
http://www.securityfocus.com/bid/35112 External Source BID 35112
http://www.vmware.com/security/advisories/VMSA-2011-0003.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2011-0003.html
http://www.vupen.com/english/advisories/2009/1448 External Source VUPEN ADV-2009-1448
https://bugzilla.redhat.com/show_bug.cgi?id=502602 Vendor Advisory External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=502602
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7081 External Source OVAL oval:org.mitre.oval:def:7081
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9652 External Source OVAL oval:org.mitre.oval:def:9652

References to Check Content

Identifier:
oval:org.mitre.oval:def:7081
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:7081
Identifier:
oval:org.mitre.oval:def:9652
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9652

Technical Details

Vulnerability Type (View All)

Change History 2 change records found - show changes