CVE-2008-3825

Impact:
Moderate
Public Date:
2008-10-01
IAVA:
2011-A-0066
Bugzilla:
461960: CVE-2008-3825 pam_krb5 existing_ticket permission flaw

The MITRE CVE dictionary describes this issue as:

pam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when the existing_ticket option is enabled, uses incorrect privileges when reading a Kerberos credential cache, which allows local users to gain privileges by setting the KRB5CCNAME environment variable to an arbitrary cache filename and running the (1) su or (2) sudo program. NOTE: there may be a related vector involving sshd that has limited relevance.

Find out more about CVE-2008-3825 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the version of pam_krb5 shipped in Red Hat Enterprise Linux 2.1, 3, or 4.

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (pam_krb5) RHSA-2008:0907 2008-10-02

Acknowledgements

Red Hat would like to thank Stéphane Bertin for responsibly disclosing this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.