CVE-2009-3232

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.

Published: Sep 17, 2009
Updated: Apr 13, 2023
CVE: CVE-2009-3232
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
canonical / ubuntu_linux	9.04	9.04.x
canonical / ubuntu_linux	8.10	8.10.x

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
http://secunia.com/advisories/36620
http://www.openwall.com/lists/oss-security/2009/09/08/7
http://www.securityfocus.com/bid/36306
https://launchpad.net/bugs/410171
https://usn.ubuntu.com/828-1/

Vulnerability Database

CVE-2009-3232