CVE-2006-5170

2006-10-1004:06:00

CWE-755

[email protected]

web.nvd.nist.gov

cve-2006-5170

pam_ldap

nss_ldap

ldap

red hat

fedora

authentication bypass

security vulnerability

6.5 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.3%

JSON

pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.

CPENameOperatorVersion
redhat:enterprise_linuxredhat enterprise linuxeq4.0
fedoraproject:fedora_corefedoraproject fedora corelecore_3.0
redhat:enterprise_linux_desktopredhat enterprise linux desktopeq4.0
redhat:enterprise_linux_serverredhat enterprise linux servereq4.0
redhat:enterprise_linux_workstationredhat enterprise linux workstationeq4.0
redhat:enterprise_linux_for_ibm_z_systemsredhat enterprise linux for ibm z systemseq4.0_s390x
redhat:enterprise_linux_for_ibm_z_systemsredhat enterprise linux for ibm z systemseq4.0_s390
redhat:enterprise_linux_for_power_big_endianredhat enterprise linux for power big endianeq4.0
debian:debian_linuxdebian debian linuxeq3.1

CPE	Name	Operator	Version
redhat:enterprise_linux	redhat enterprise linux	eq	4.0
fedoraproject:fedora_core	fedoraproject fedora core	le	core_3.0
redhat:enterprise_linux_desktop	redhat enterprise linux desktop	eq	4.0
redhat:enterprise_linux_server	redhat enterprise linux server	eq	4.0
redhat:enterprise_linux_workstation	redhat enterprise linux workstation	eq	4.0
redhat:enterprise_linux_for_ibm_z_systems	redhat enterprise linux for ibm z systems	eq	4.0_s390x
redhat:enterprise_linux_for_ibm_z_systems	redhat enterprise linux for ibm z systems	eq	4.0_s390
redhat:enterprise_linux_for_power_big_endian	redhat enterprise linux for power big endian	eq	4.0
debian:debian_linux	debian debian linux	eq	3.1