First published: Sat Jun 06 2020(Updated: )
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Pam Tacplus Project Pam Tacplus | >=1.3.8<=1.5.1 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =20.04 | |
Arista CloudVision Portal | <2020.1.2 | |
ubuntu/libpam-tacplus | <1.3.8-2+ | 1.3.8-2+ |
ubuntu/libpam-tacplus | <1.3.8-2+ | 1.3.8-2+ |
ubuntu/libpam-tacplus | <1.3.8-2+ | 1.3.8-2+ |
debian/libpam-tacplus |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-13881.
The severity of CVE-2020-13881 is high with a CVSS score of 7.5.
The software versions affected by CVE-2020-13881 are pam_tacplus 1.3.8 through 1.5.1.
To fix CVE-2020-13881, update to version 1.3.8-2 or later of libpam-tacplus.
Yes, you can find references related to CVE-2020-13881 at the following links: [reference 1](http://www.openwall.com/lists/oss-security/2020/06/08/1), [reference 2](https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0), [reference 3](https://github.com/kravietz/pam_tacplus/issues/149).