CVE-2024-10041
Nov. 12, 2024, 9:15 p.m.
4.7
Medium
Description
A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Linux-pam |
|
|
| Redhat |
|
|
Weaknesses
CWE-922
Insecure Storage of Sensitive Information
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
*CPE(s)
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | linux-pam | linux-pam | - | / | / | / | / | / | / | / |
| o | redhat | enterprise_linux | 7.0 | / | / | / | / | / | / | / |
| o | redhat | enterprise_linux | 8.0 | / | / | / | / | / | / | / |
| o | redhat | enterprise_linux | 9.0 | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data
- Attack Vector: LOCAL
- Attack Complexity: HIGH
- Privileges Required: LOW
- Scope: UNCHANGED
- Confidentiality Impact: HIGH
- Integrity Impact: NONE
- Availability Impact: NONE
View Vector String
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Date
- Published: Oct. 23, 2024, 2:15 p.m.
- Last Modified: Nov. 12, 2024, 9:15 p.m.
Status : Modified
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
secalert@redhat.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.