Home

Description

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

PUBLISHED Reserved 2024-11-07 | Published 2024-11-07 | Updated 2025-11-20 | Assigner redhat




HIGH: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

Improper Authentication

Product status

Default status
unaffected

1.3.1 (semver)
affected

1.5.1 (semver)
affected

1.6.0 (semver) before 1.7.0
affected

Default status
affected

0:1.3.1-36.el8_10 (rpm) before *
unaffected

Default status
affected

0:1.5.1-22.el9_5 (rpm) before *
unaffected

Default status
affected

0:1.5.1-22.el9_5 (rpm) before *
unaffected

Default status
affected

0:1.5.1-23.el9_4 (rpm) before *
unaffected

Default status
affected

416.94.202411261619-0 (rpm) before *
unaffected

Default status
affected

417.94.202411261220-0 (rpm) before *
unaffected

Default status
affected

sha256:c2a79db6d2ba9c313640149a55f306e8aa4dc36f3cc24bf554c025503b013644 (rpm) before *
unaffected

Default status
unaffected

Default status
unaffected

Default status
unaffected

Timeline

2024-11-07:Reported to Red Hat.
2024-11-07:Made public.

References

access.redhat.com/errata/RHSA-2024:10232 (RHSA-2024:10232) vendor-advisory

access.redhat.com/errata/RHSA-2024:10244 (RHSA-2024:10244) vendor-advisory

access.redhat.com/errata/RHSA-2024:10379 (RHSA-2024:10379) vendor-advisory

access.redhat.com/errata/RHSA-2024:10518 (RHSA-2024:10518) vendor-advisory

access.redhat.com/errata/RHSA-2024:10528 (RHSA-2024:10528) vendor-advisory

access.redhat.com/errata/RHSA-2024:10852 (RHSA-2024:10852) vendor-advisory

access.redhat.com/security/cve/CVE-2024-10963 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2324291 (RHBZ#2324291) issue-tracking

cve.org (CVE-2024-10963)

nvd.nist.gov (CVE-2024-10963)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.