CVE-2020-27780

EUVD-2020-20284
A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
Affected Products (NVD)
VendorProductVersion
linux-pamlinux-pam
1.5.0 ≤
𝑥
< 1.5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pam
bookworm
1.5.2-6+deb12u1
fixed
bullseye
1.4.0-9+deb11u1
fixed
sid
1.5.3-7
fixed
trixie
1.5.3-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pam
bionic
not-affected
focal
not-affected
groovy
not-affected
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1901094
https://bugzilla.redhat.com/show_bug.cgi?id=1901094