CVE-2009-0360

EUVD-2009-0364
Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.2 UNKNOWN
LOCAL
HIGH
AV:L/AC:H/Au:N/C:C/I:C/A:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
eyriepam-krb5
𝑥
≤ 3.12
eyriepam-krb5
2.0
eyriepam-krb5
2.1
eyriepam-krb5
2.2
eyriepam-krb5
2.3
eyriepam-krb5
2.4
eyriepam-krb5
2.5
eyriepam-krb5
2.6
eyriepam-krb5
3.0
eyriepam-krb5
3.1
eyriepam-krb5
3.2
eyriepam-krb5
3.3
eyriepam-krb5
3.4
eyriepam-krb5
3.5
eyriepam-krb5
3.6
eyriepam-krb5
3.7
eyriepam-krb5
3.8
eyriepam-krb5
3.9
eyriepam-krb5
3.10
eyriepam-krb5
3.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpam-krb5
bookworm
4.11-1
fixed
bullseye
4.9-2
fixed
sid
4.11-2
fixed
trixie
4.11-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libpam-krb5
dapper
ignored
gutsy
ignored
hardy
Fixed 3.10-1ubuntu0.8.04.1
released
intrepid
Fixed 3.10-1ubuntu0.8.10.1
released
jaunty
Fixed 3.11-4ubuntu1
released
karmic
Fixed 3.11-4ubuntu1
released
Common Weakness Enumeration
References
http://secunia.com/advisories/33914
http://secunia.com/advisories/33917
http://secunia.com/advisories/34260
http://secunia.com/advisories/34449
http://security.gentoo.org/glsa/glsa-200903-39.xml
http://securitytracker.com/id?1021711
http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1
http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
http://www.debian.org/security/2009/dsa-1721
http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
http://www.securityfocus.com/archive/1/500892/100/0/threaded
http://www.securityfocus.com/bid/33740
http://www.ubuntu.com/usn/USN-719-1
http://www.vupen.com/english/advisories/2009/0410
http://www.vupen.com/english/advisories/2009/0426
http://www.vupen.com/english/advisories/2009/0979
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5669
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5732
http://secunia.com/advisories/33914
http://secunia.com/advisories/33917
http://secunia.com/advisories/34260
http://secunia.com/advisories/34449
http://security.gentoo.org/glsa/glsa-200903-39.xml
http://securitytracker.com/id?1021711
http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1
http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
http://www.debian.org/security/2009/dsa-1721
http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
http://www.securityfocus.com/archive/1/500892/100/0/threaded
http://www.securityfocus.com/bid/33740
http://www.ubuntu.com/usn/USN-719-1
http://www.vupen.com/english/advisories/2009/0410
http://www.vupen.com/english/advisories/2009/0426
http://www.vupen.com/english/advisories/2009/0979
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5669
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5732