CVE-2019-16729
Publication date 24 September 2019
Last updated 24 July 2024
Ubuntu priority
pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups.
From the Ubuntu Security Team
Malte Kraus discovered that Pam-python mishandled certain environment variables. A local attacker could potentially use this vulnerability to execute programs as root.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pam-python | 20.04 LTS focal |
Not affected
|
| 18.04 LTS bionic |
Fixed 1.0.6-1.1+deb10u1build0.18.04.1
|
|
| 16.04 LTS xenial |
Fixed 1.0.4-1.1+deb8u1build0.16.04.1
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4552-1
- Pam-python vulnerability
- 28 September 2020
- USN-4552-2
- Pam-python vulnerability
- 21 October 2020
- USN-4552-3
- Pam-python regression
- 28 October 2020