CVE-2025-23013

EPSS 0.08%
Veröffentlicht 15.01.2025 04:15:20
Zuletzt bearbeitet 03.02.2025 10:15:09
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerYubico

≫

Produkt pam-u2f

Default Statusunaffected

Version < 1.3.1

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.238

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	7.3	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-394 Unexpected Status Code or Return Value

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

https://www.yubico.com/support/security-advisories/ysa-2025-01/

http://www.openwall.com/lists/oss-security/2025/01/15/1

http://www.openwall.com/lists/oss-security/2025/01/16/2

http://www.openwall.com/lists/oss-security/2025/01/16/3

http://www.openwall.com/lists/oss-security/2025/01/16/4

http://www.openwall.com/lists/oss-security/2025/01/16/5

https://lists.debian.org/debian-lts-announce/2025/02/msg00001.html

https://nvd.nist.gov/vuln/detail/CVE-2025-23013

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-23013

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-23013

EUVD