PRIOn knowledge basePRION:CVE-2013-7322Deserialization of untrusted data
6.8 Medium
AI Score
Confidence
Low
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
50.7%
usersfile.c in liboath in OATH Toolkit before 2.4.1 does not properly handle lines containing an invalid one-time-password (OTP) type and a user name in /etc/users.oath, which causes the wrong line to be updated when invalidating an OTP and allows context-dependent attackers to conduct replay attacks, as demonstrated by a commented out line when using libpam-oath.
References
lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html
lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00002.html
lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00003.html
seclists.org/oss-sec/2014/q1/296
www.nongnu.org/oath-toolkit/NEWS.html
exchange.xforce.ibmcloud.com/vulnerabilities/91316
Related
6.8 Medium
AI Score
Confidence
Low
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
50.7%