{"id":"CVE-2019-12209","details":"Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.","modified":"2026-04-11T12:42:21.013545Z","published":"2019-06-04T21:29:00.780Z","related":["SUSE-SU-2019:1749-1","SUSE-SU-2019:1750-1","openSUSE-SU-2019:1708-1","openSUSE-SU-2019:1725-1","openSUSE-SU-2024:11145-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/"},{"type":"ADVISORY","url":"https://developers.yubico.com/pam-u2f/Release_Notes.html"},{"type":"FIX","url":"https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2019/06/05/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yubico/pam-u2f","events":[{"introduced":"0"},{"fixed":"7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3"}]},{"type":"GIT","repo":"https://github.com/yubico/pam-u2f","events":[{"introduced":"0"},{"fixed":"7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3"}]}],"versions":["pam_u2f-0.0.0","pam_u2f-0.0.1","pam_u2f-1.0.0","pam_u2f-1.0.1","pam_u2f-1.0.2","pam_u2f-1.0.3","pam_u2f-1.0.4","pam_u2f-1.0.5","pam_u2f-1.0.6","pam_u2f-1.0.7"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"190092078713224981052794975657320798984","length":6318},"deprecated":false,"source":"https://github.com/yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3","target":{"function":"pam_sm_authenticate","file":"pam-u2f.c"},"signature_type":"Function","id":"CVE-2019-12209-4c8a7ade","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["250296066536919154674839163851516765508","59111452786323337913235261308682888245","141044651560406762454417501895253739569","126359054032938080789565256505569180900","220714864252976379688803145502688475012","106159406315499737346394770900863707770","33522756926003101309545187513930969527","71702326451260424737668205123381200191","327611880822787244142960116790272837488","231305736634594726001346628114074859277","163955949941476732340365084568922478628","322001690522104487392124877961531480196","122917560062141683582688657772822747687","138199726908497305244528752739313264649","77341871531213007699954046010910951287","224655575939885664906704728675255897797","303699464452316472783995436624293889408","171407542727841768998135646367153085064","1040401220391752097814007081848542318","27912806870969979261286961349193397318","63398289410222910950184796916234250752","209995171977491762399505741862331115317","21294114663909744224471564370406630954","299827442378922536678566154607701600472","249561506344594180486237785878278908893","64279706059051126987763302622989764325","89674261969872805465078510751477079537","64496481663788244759487716129584999689","283495615230663756794873339859325689751","97165761981535877271425842949349045261","306263898074518652377612561231518689404","81716346068354327908223233647390249550","53268192210624865124009940222692962583","274145719533260958364818024938258751394","85329958743355470946491303329051581321","194649338004069832641504185077214101845","179836419267729583861045579456958088413","58948533126361249229327132606155567887","81142259067198053490984316876348911071","314485511235383047367974874029533144611","329875576775740086332656653605590857954","133935251841805499863157142127834629482","159044414741092336700454310254793686751"]},"deprecated":false,"source":"https://github.com/yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3","target":{"file":"pam-u2f.c"},"signature_type":"Line","id":"CVE-2019-12209-ee50519a","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T12:42:21Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.0.7"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12209.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}