{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-47191", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-18T03:08:08.622Z", "dateReserved": "2024-09-20T00:00:00", "datePublished": "2024-10-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-09T05:08:49.223530"}, "descriptions": [{"lang": "en", "value": "pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43"}, {"url": "https://www.openwall.com/lists/oss-security/2024/10/04/2"}, {"url": "https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html"}, {"url": "https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/60d9902b5c20f27e70f8e9c816bfdc0467567e1a"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3235a52f6b87cd1c5da6508f421ac261f5e33a70"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3271139989fde35ab0163b558fc29e80c3a280e5"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/95ef255e6a401949ce3f67609bf8aac2029db418"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/04/2"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/05/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/08/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/08/2"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/08/4"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/15/7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/17/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/18/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/18/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-18T03:08:08.622Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "affected": [{"vendor": "nongnu", "product": "oath_toolkit", "cpes": ["cpe:2.3:a:nongnu:oath_toolkit:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.6.7", "status": "affected", "lessThan": "2.6.12", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-09T20:58:10.911455Z", "id": "CVE-2024-47191", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T21:01:52.394Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/04/2"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/05/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/08/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/08/2"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/08/4"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/15/7"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/17/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/18/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/18/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-18T03:08:08.622Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-47191", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-09T20:58:10.911455Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nongnu:oath_toolkit:*:*:*:*:*:*:*:*"], "vendor": "nongnu", "product": "oath_toolkit", "versions": [{"status": "affected", "version": "2.6.7", "lessThan": "2.6.12", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T20:59:40.757Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43"}, {"url": "https://www.openwall.com/lists/oss-security/2024/10/04/2"}, {"url": "https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html"}, {"url": "https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/60d9902b5c20f27e70f8e9c816bfdc0467567e1a"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3235a52f6b87cd1c5da6508f421ac261f5e33a70"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3271139989fde35ab0163b558fc29e80c3a280e5"}, {"url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/95ef255e6a401949ce3f67609bf8aac2029db418"}], "descriptions": [{"lang": "en", "value": "pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-09T05:08:49.223530"}}}, "cveMetadata": {"cveId": "CVE-2024-47191", "state": "PUBLISHED", "dateUpdated": "2024-10-18T03:08:08.622Z", "dateReserved": "2024-09-20T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-10-09T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink."}, {"lang": "es", "value": "pam_oath.so en oath-toolkit 2.6.7 a 2.6.11 antes de 2.6.12 permite la escalada de privilegios de root porque, en el contexto del c\u00f3digo PAM que se ejecuta como root, maneja incorrectamente el acceso a los archivos de los usuarios, como al llamar a fchown en presencia de un enlace simb\u00f3lico."}], "id": "CVE-2024-47191", "lastModified": "2024-11-21T09:39:30.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-09T05:15:13.420", "references": [{"source": "cve@mitre.org", "url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3235a52f6b87cd1c5da6508f421ac261f5e33a70"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3271139989fde35ab0163b558fc29e80c3a280e5"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/60d9902b5c20f27e70f8e9c816bfdc0467567e1a"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/95ef255e6a401949ce3f67609bf8aac2029db418"}, {"source": "cve@mitre.org", "url": "https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43"}, {"source": "cve@mitre.org", "url": "https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html"}, {"source": "cve@mitre.org", "url": "https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2024/10/04/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/04/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/08/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/08/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/08/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/15/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/17/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/18/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/10/18/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:4238", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el8", "package": "ceph-2:17.2.6-277.el8cp", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2025-04-28T00:00:00Z"}, {"advisory": "RHSA-2025:4238", "cpe": "cpe:/a:redhat:ceph_storage:6.1::el8", "package": "oath-toolkit-0:2.6.12-1.el9cp", "product_name": "Red Hat Ceph Storage 6.1", "release_date": "2025-04-28T00:00:00Z"}, {"advisory": "RHSA-2025:4664", "cpe": "cpe:/a:redhat:ceph_storage:7.1::el8", "package": "ceph-2:18.2.1-329.el9cp", "product_name": "Red Hat Ceph Storage 7.1", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4664", "cpe": "cpe:/a:redhat:ceph_storage:7.1::el8", "package": "oath-toolkit-0:2.6.12-1.el9cp", "product_name": "Red Hat Ceph Storage 7.1", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:3635", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "ceph-2:19.2.0-124.el9cp", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3635", "cpe": "cpe:/a:redhat:ceph_storage:8.0::el9", "package": "oath-toolkit-0:2.6.12-1.el9cp", "product_name": "Red Hat Ceph Storage 8.0", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:9775", "cpe": "cpe:/a:redhat:ceph_storage:8.1::el9", "package": "ceph-2:19.2.1-222.el9cp", "product_name": "Red Hat Ceph Storage 8.1", "release_date": "2025-06-26T00:00:00Z"}, {"advisory": "RHSA-2025:9775", "cpe": "cpe:/a:redhat:ceph_storage:8.1::el9", "package": "cephadm-ansible-1:4.1.4-1.el9cp", "product_name": "Red Hat Ceph Storage 8.1", "release_date": "2025-06-26T00:00:00Z"}, {"advisory": "RHSA-2025:9775", "cpe": "cpe:/a:redhat:ceph_storage:8.1::el9", "package": "oath-toolkit-0:2.6.12-1.el9cp", "product_name": "Red Hat Ceph Storage 8.1", "release_date": "2025-06-26T00:00:00Z"}], "bugzilla": {"description": "oath-toolkit: Local root exploit in a PAM module", "id": "2316488", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316488"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.", "A vulnerability was found in a PAM module, the oath-toolkit. The module gained a feature that allowed placing the OTP state file, called the usersfile, in the home directory of the to-be-authenticated user. The PAM module performed unsafe file operations in the users' home directories. Since PAM stacks typically run as root, this flaw allows a malicious user to jeopardize an environment."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47191", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Out of support scope", "package_name": "oath-toolkit", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "oath-toolkit", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "package_name": "oath-toolkit", "product_name": "Red Hat Openshift Container Storage 4"}], "public_date": "2024-10-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47191\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47191"], "statement": "This vulnerability is rated Important rather than Moderate due to its potential for full privilege escalation without requiring complex attack vectors. The flaw in the `pam_oath.so` module allows unprivileged users to manipulate file operations within their home directories to exploit symlink attacks, enabling them to overwrite critical system files, such as `/etc/shadow`, with root-level privileges. Since PAM stacks typically run as root, this exploitation does not involve race conditions or reliance on environmental factors, making the attack straightforward and highly impactful.\nCeph uses an affected oath-toolkit version. However, it does not use the affected methods and it is not vulnerable to this issue.", "threat_severity": "Important"}

{}