Detections
Analytics

CVE-2009-0360

high

Description

Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5732

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5669

http://www.vupen.com/english/advisories/2009/0979

http://www.vupen.com/english/advisories/2009/0426

http://www.vupen.com/english/advisories/2009/0410

http://www.ubuntu.com/usn/USN-719-1

http://www.securityfocus.com/bid/33740

http://www.securityfocus.com/archive/1/500892/100/0/threaded

http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html

http://www.debian.org/security/2009/dsa-1721

http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm

http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1

http://securitytracker.com/id?1021711

http://security.gentoo.org/glsa/glsa-200903-39.xml

http://secunia.com/advisories/34449

http://secunia.com/advisories/34260

http://secunia.com/advisories/33917

http://secunia.com/advisories/33914

Details

Source: Mitre, NVD

Published: 2009-02-13

Updated: 2025-04-09

Risk Information

CVSS v2

Base Score: 6.2

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00127