Alpine: multiple pam-u2f packages: security update to 1.1.1-r0

medium Tenable Self-Hosted Container Security Plugin ID 406204

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the
application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or
cryptographic signature verification to be bypassed, so an attacker would still need to physically possess
and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN
authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will
attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN
requirement is bypassed. (CVE-2021-31924)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-31924

Plugin Details

Severity: Medium

ID: 406204

Version: Revision 1.30

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-31924

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/25/2021

Reference Information

CVE: CVE-2021-31924