A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
History

Wed, 18 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:9

Wed, 18 Dec 2024 09:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Wed, 27 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8

Tue, 26 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:8::baseos
References

Mon, 25 Nov 2024 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/o:redhat:rhel_eus:9.4::baseos
References

Fri, 22 Nov 2024 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Mon, 04 Nov 2024 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux-pam
Linux-pam linux-pam
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:linux-pam:linux-pam:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Linux-pam
Linux-pam linux-pam

Mon, 04 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-922

Thu, 24 Oct 2024 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 23 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 23 Oct 2024 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
Title Pam: libpam: libpam vulnerable to read hashed password
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-10-23T13:46:27.963Z

Updated: 2024-12-18T09:14:59.247Z

Reserved: 2024-10-16T16:13:54.632Z

Link: CVE-2024-10041

cve-icon Vulnrichment

Updated: 2024-10-23T14:35:20.386Z

cve-icon NVD

Status : Modified

Published: 2024-10-23T14:15:03.970

Modified: 2024-12-18T10:15:05.850

Link: CVE-2024-10041

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-18T00:00:00Z

Links: CVE-2024-10041 - Bugzilla