CVE-2017-12197

NameCVE-2017-12197
DescriptionIt was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1165-1, DSA-4025-1
NVD severitymedium
Debian Bugs879001

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpam4j (PTS)jessie, jessie (security)1.4-2+deb8u1fixed
stretch, stretch (security)1.4-2+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpam4jsource(unstable)1.4-3879001
libpam4jsourcejessie1.4-2+deb8u1DSA-4025-1
libpam4jsourcestretch1.4-2+deb9u1DSA-4025-1
libpam4jsourcewheezy1.4-2+deb7u1DLA-1165-1

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1503103
https://github.com/kohsuke/libpam4j/issues/18
(Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d

Search for package or bug name: Reporting problems