CVE-2011-4120

Summary

Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.

Affected Software

VendorProductVersion RangeStatus
yubico-pamyubico-pambefore 2.10affected

Weaknesses

  • Other

ADP Enrichment

CVE Program Container

Additional References

References