Alpine: multiple pam-u2f packages: security update to 1.3.1-r0

high Tenable Self-Hosted Container Security Plugin ID 427789

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a
Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or
other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for
an authentication bypass in some configurations. An attacker would require the ability to access the
system as an unprivileged user. Depending on the configuration, the attacker may also need to know the
user's password. (CVE-2025-23013)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-23013

Plugin Details

Severity: High

ID: 427789

Version: Revision 1.5

Type: Local

Published: 5/30/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-23013

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.3

Threat Score: 4.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/15/2025

Reference Information

CVE: CVE-2025-23013