Ubuntu.comUB:CVE-2020-24612CVE-2020-24612
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
11.8%
An issue was discovered in the selinux-policy (aka Reference Policy)
package 3.14 through 2020-08-24 because the .config/Yubico directory is
mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not
allowed to read the user’s U2F configuration file. If configured with the
nouserok option (the default when configured by the authselect tool), and
that file cannot be read, the second factor is disabled. An attacker with
only the knowledge of the password can then log in, bypassing 2FA.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | refpolicy | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | refpolicy | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | refpolicy | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | refpolicy | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | refpolicy | < any | UNKNOWN |
| ubuntu | 14.04 | noarch | refpolicy | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | refpolicy | < any | UNKNOWN |
References
Related
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
11.8%