CVE-2004-0653 - Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5

CVE-2004-0653

Summary

Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.

References

Vulnerable Configurations

cpe:2.3:o:sun:solaris:9.0:*:sparc:*:*:*:*:*
cpe:2.3:o:sun:solaris:9.0:*:sparc:*:*:*:*:*

CVSS

Base:	2.1 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:L/AC:L/Au:N/C:P/I:N/A:N

oval via4

accepted

2005-02-23T09:25:00.000-04:00

class

vulnerability

contributors

name Brian Soby
organization The MITRE Corporation
name Brian Soby
organization The MITRE Corporation

description

family

unix

oval:org.mitre.oval:def:2065

status

accepted

submitted

2004-10-12T12:00:00.000-04:00

title

Kerberos Client Plaintext Password Vulnerability

version

accepted

2011-05-09T04:01:28.701-04:00

class

vulnerability

contributors

name Robert L. Hollis
organization ThreatGuard, Inc.
name Nabil Ouchn
organization Security-Database
name Shane Shaffer
organization G2, Inc.

description

family

unix

oval:org.mitre.oval:def:255

status

accepted

submitted

2006-09-22T05:52:00.000-04:00

title

Clear Text Password Logging Vulnerability

version

refmap via4

bid	10606
cert-vn	VU#523710
ciac	O-172
secunia	11940
sunalert	101519 57587
xf	solaris-kerberos-password-plaintext(16450)

Last major update

11-10-2017 - 01:29

Published

06-08-2004 - 04:00

Last modified

11-10-2017 - 01:29