In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2020/06/08/1 | Mailing List Patch Third Party Advisory |
https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 | Patch Third Party Advisory |
https://github.com/kravietz/pam_tacplus/issues/149 | Issue Tracking Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2020/06/msg00007.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2021/08/msg00006.html | Mailing List Third Party Advisory |
https://usn.ubuntu.com/4521-1/ | Third Party Advisory |
https://www.arista.com/en/support/advisories-notices/security-advisories/11705-security-advisory-50 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
No history.
Information
Published : 2020-06-06 19:15
Updated : 2024-02-28 17:47
NVD link : CVE-2020-13881
Mitre link : CVE-2020-13881
CVE.ORG link : CVE-2020-13881
JSON object : View
Products Affected
debian
- debian_linux
arista
- cloudvision_portal
canonical
- ubuntu_linux
pam_tacplus_project
- pam_tacplus
CWE
CWE-532
Insertion of Sensitive Information into Log File