| Vulnerability Name: | CVE-2014-9278 (CCN-99090) | ||||||||||||||||
| Assigned: | 2014-10-03 | ||||||||||||||||
| Published: | 2014-10-03 | ||||||||||||||||
| Updated: | 2017-09-08 | ||||||||||||||||
| Summary: | The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login. | ||||||||||||||||
| CVSS v3 Severity: | 3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
| ||||||||||||||||
| CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N) 3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.6 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||||||
| Vulnerability Type: | CWE-287 | ||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2014-9278 Source: CCN Type: RHSA-2015-0425 Moderate: openssh security, bug fix and enhancement update Source: REDHAT Type: UNKNOWN RHSA-2015:0425 Source: CCN Type: oss-security Mailing List, Tue, 02 Dec 2014 15:56:14 +0100 CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) Source: MISC Type: UNKNOWN http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855 Source: CCN Type: OpenSSH Web site Portable OpenSSH Source: MLIST Type: UNKNOWN [oss-security] 20141202 CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) Source: MLIST Type: UNKNOWN [oss-security] 20141204 Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams) Source: BID Type: UNKNOWN 71420 Source: CCN Type: BID-71420 Portable OpenSSH 'gss-serv-krb5.c' Security Bypass Vulnerability Source: CONFIRM Type: UNKNOWN https://bugzilla.mindrot.org/show_bug.cgi?id=1867 Source: CCN Type: Red Hat Bugzilla Bug 1169843 openssh: k5users unexpectedly grants remote login Source: CONFIRM Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=1169843 Source: XF Type: UNKNOWN openssh-gssservkrb5-sec-bypass(99090) Source: XF Type: UNKNOWN openssh-gssservkrb5-sec-bypass(99090) | ||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration RedHat 1: Configuration RedHat 2: Configuration RedHat 3: Configuration RedHat 4: Configuration RedHat 5:  Denotes that component is vulnerable | ||||||||||||||||
| Oval Definitions | |||||||||||||||||
| |||||||||||||||||
| BACK | |||||||||||||||||