CVE-2019-12210

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-12210
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12210.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-12210
Downstream
Related
Published
2019-06-04T21:29:00.827Z
Modified
2026-05-28T04:05:02.259617680Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.

Database specific 
{
    "unresolved_ranges": [
        {
            "vendor_product": "yubico:pam-u2f",
            "cpes": [
                "cpe:2.3:a:yubico:pam-u2f:1.0.7:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "1.0.7"
                }
            ],
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/yubico/pam-u2f

Affected ranges

Type
GIT
Repo
https://github.com/yubico/pam-u2f
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
18b1914e32b74ff52000f10e97067e841e5fff62
Database specific 
{
    "source": "REFERENCES"
}

Affected versions

pam_u2f-0.*
pam_u2f-0.0.0
pam_u2f-0.0.1
pam_u2f-1.*
pam_u2f-1.0.0
pam_u2f-1.0.1
pam_u2f-1.0.2
pam_u2f-1.0.3
pam_u2f-1.0.4
pam_u2f-1.0.5
pam_u2f-1.0.6
pam_u2f-1.0.7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12210.json"