CVE-2009-3232

critical

Description

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.

References

https://launchpad.net/bugs/410171

http://www.openwall.com/lists/oss-security/2009/09/08/7

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927

Details

Source: Mitre, NVD

Published: 2009-09-17

Updated: 2025-04-09

Risk Information

CVSS v2

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00539