{"id":"CVE-2024-47191","details":"pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.","modified":"2026-04-02T09:45:47.022600Z","published":"2024-10-09T05:15:13.420Z","related":["MGASA-2024-0335","USN-7059-2","openSUSE-SU-2024:14389-1"],"references":[{"type":"WEB","url":"https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/08/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/15/7"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/18/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/08/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/08/4"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/17/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/04/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/05/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/18/2"},{"type":"WEB","url":"https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2024/10/04/2"},{"type":"REPORT","url":"https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43"},{"type":"FIX","url":"https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3235a52f6b87cd1c5da6508f421ac261f5e33a70"},{"type":"FIX","url":"https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/95ef255e6a401949ce3f67609bf8aac2029db418"},{"type":"FIX","url":"https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/60d9902b5c20f27e70f8e9c816bfdc0467567e1a"},{"type":"FIX","url":"https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3271139989fde35ab0163b558fc29e80c3a280e5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/oath-toolkit/oath-toolkit","events":[{"introduced":"3cb25fc9ff468d32b59eceb476c5f48cc870a837"},{"last_affected":"11b3c8e755bb13edf67e3cc532c8df543e0cb138"},{"introduced":"0"},{"fixed":"c872088aca029b4290b480002945c6a013d89086"},{"fixed":"3235a52f6b87cd1c5da6508f421ac261f5e33a70"},{"fixed":"3271139989fde35ab0163b558fc29e80c3a280e5"},{"fixed":"60d9902b5c20f27e70f8e9c816bfdc0467567e1a"},{"fixed":"95ef255e6a401949ce3f67609bf8aac2029db418"}],"database_specific":{"versions":[{"introduced":"2.6.7"},{"last_affected":"2.6.11"},{"introduced":"0"},{"fixed":"2.6.12"}]}}],"versions":["hotp-toolkit-1-0-1","oath-toolkit-1-10-0","oath-toolkit-1-10-1","oath-toolkit-1-10-2","oath-toolkit-1-10-3","oath-toolkit-1-10-4","oath-toolkit-1-10-5","oath-toolkit-1-12-0","oath-toolkit-1-12-1","oath-toolkit-1-12-2","oath-toolkit-1-12-3","oath-toolkit-1-12-4","oath-toolkit-1-12-5","oath-toolkit-1-12-6","oath-toolkit-1-2-0","oath-toolkit-1-2-1","oath-toolkit-1-2-2","oath-toolkit-1-2-3","oath-toolkit-1-4-0","oath-toolkit-1-4-1","oath-toolkit-1-4-2","oath-toolkit-1-4-3","oath-toolkit-1-4-4","oath-toolkit-1-4-5","oath-toolkit-1-4-6","oath-toolkit-1-6-0","oath-toolkit-1-6-1","oath-toolkit-1-6-2","oath-toolkit-1-6-3","oath-toolkit-1-6-4","oath-toolkit-1-8-0","oath-toolkit-1-8-1","oath-toolkit-1-8-2","oath-toolkit-1.10.2","oath-toolkit-1.10.3","oath-toolkit-2-0-0","oath-toolkit-2-0-1","oath-toolkit-2-0-2","oath-toolkit-2-2-0","oath-toolkit-2-4-0","oath-toolkit-2-4-1","oath-toolkit-2-6-0","oath-toolkit-2-6-1","oath-toolkit-2-6-2","oath-toolkit-2-6-3","oath-toolkit-2-6-4","oath-toolkit-2-6-5","oath-toolkit-2-6-6","oath-toolkit-2-6-7","oath-toolkit-2.6.10","oath-toolkit-2.6.11","oath-toolkit-2.6.7","oath-toolkit-2.6.8","oath-toolkit-2.6.9","oathtool-1-4-4","oathtool-1-4-5","v2.6.2"],"database_specific":{"vanir_signatures":[{"digest":{"length":1912,"function_hash":"150163475415627145780831233372622081079"},"deprecated":false,"signature_version":"v1","target":{"file":"liboath/usersfile.c","function":"update_usersfile"},"id":"CVE-2024-47191-63b8a56b","source":"https://gitlab.com/oath-toolkit/oath-toolkit@60d9902b5c20f27e70f8e9c816bfdc0467567e1a","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["118303722128484534829763655044826199820","113750396407888520200423265814822843096","192205521156161072664369892599665425308","250587939673544900646532702394152180191","16577444785971714563791375677823370921","14607612104540372378154204410139244190","182066091048244177114587074548855596849","215404374122972526497467638636625735028","297982287930905698416979719555818143936","55284296392144119260195831427288783119","69099690595760508301862446981101351650","120817687958967094032479205627599015397","157374329403211883771087623990274716291","106095357129078415660026138811944413419","182385000968901722014047492822758553885","55365634476822112744265164094031217162","83209383107059770558321396557224001631","71734868786451371787144613188729725753","170203616653424055582777181962693383272","336087361047998539120287855152552999944","304382038967823919213150713134830339054","134540842428974960574249611175478893586","208635461179115996531600225667077032956","45369572654149848717780697485153569191","64661714366360538115522756694361327754","112055871870454573271165258004789918135","114970903677750122327091532121085730577","217057907718299189835151395394812066023","329102226999494724772557386499992281608","93115686196465329066855251917055504782","58529633996365227363196355905749948795","309170455227378883642288716027478250019","122068963921327377320249754870938883441","305402383358340015338011626571272897104","162375840121274077553642104579431210123","268610487008851323934819936869887638569"]},"deprecated":false,"signature_version":"v1","target":{"file":"pam_oath/pam_oath.c"},"id":"CVE-2024-47191-67835816","source":"https://gitlab.com/oath-toolkit/oath-toolkit@95ef255e6a401949ce3f67609bf8aac2029db418","signature_type":"Line"},{"digest":{"length":2149,"function_hash":"149950136308806768208460689370762907726"},"deprecated":false,"signature_version":"v1","target":{"file":"liboath/usersfile.c","function":"update_usersfile"},"id":"CVE-2024-47191-6a021342","source":"https://gitlab.com/oath-toolkit/oath-toolkit@3235a52f6b87cd1c5da6508f421ac261f5e33a70","signature_type":"Function"},{"digest":{"length":1710,"function_hash":"335507966447049814185238926324250774943"},"deprecated":false,"signature_version":"v1","target":{"file":"pam_oath/pam_oath.c","function":"parse_usersfile_str"},"id":"CVE-2024-47191-6ec55e22","source":"https://gitlab.com/oath-toolkit/oath-toolkit@95ef255e6a401949ce3f67609bf8aac2029db418","signature_type":"Function"},{"digest":{"length":4319,"function_hash":"307168639617190581096523711610506587392"},"deprecated":false,"signature_version":"v1","target":{"file":"pam_oath/pam_oath.c","function":"pam_sm_authenticate"},"id":"CVE-2024-47191-8a4e0645","source":"https://gitlab.com/oath-toolkit/oath-toolkit@60d9902b5c20f27e70f8e9c816bfdc0467567e1a","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["63328830592474572626055283471493925677","128565006097052610939674930019415914912","196172903755106685320134478317343470076","51441189612312789236976496272157765986","130393951029159609173724525062108234858","224558060176194671403219288017329625950","150797272909165056874863075384496169614","322517342042764005251190109204663070232","67141607314984082648854631073684454486","75349079322159447547565025986032660088","160024789589820681024821762352021861195","49306201606412841008452130857080961450","107249290766096651937046023547870843075","71734868786451371787144613188729725753","170203616653424055582777181962693383272","336087361047998539120287855152552999944","304382038967823919213150713134830339054","62567755991714902376991352630842265692","267386137158390644613873664252477126902","54462751201651164265586516683338044070","161965603491518507529725632821649316272","316707026420753494558299754666425876578","339620478595089829505124405596602929293","96516713770514766103112196321856240827","59202156479327657537142101065511719631","12351231411124172754472608500712838223","89233773585319918384198120804288295847","158792302467923776979869944101737715783","242496389982337509652968937893028416656","222722482670436005982475371626857359109"]},"deprecated":false,"signature_version":"v1","target":{"file":"pam_oath/pam_oath.c"},"id":"CVE-2024-47191-9ee4c0de","source":"https://gitlab.com/oath-toolkit/oath-toolkit@60d9902b5c20f27e70f8e9c816bfdc0467567e1a","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["106534135272604188622357268363575940732","327229284202733781202999752246632506585","305101118003551714491456952308062745896","143587239600720098869710924552878890136"]},"deprecated":false,"signature_version":"v1","target":{"file":"liboath/errors.c"},"id":"CVE-2024-47191-a51ceb21","source":"https://gitlab.com/oath-toolkit/oath-toolkit@60d9902b5c20f27e70f8e9c816bfdc0467567e1a","signature_type":"Line"},{"digest":{"length":4542,"function_hash":"294403998499269779426444564686397087202"},"deprecated":false,"signature_version":"v1","target":{"file":"pam_oath/pam_oath.c","function":"pam_sm_authenticate"},"id":"CVE-2024-47191-b78bc9ac","source":"https://gitlab.com/oath-toolkit/oath-toolkit@95ef255e6a401949ce3f67609bf8aac2029db418","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["322965276451756618292148122576935655099","85266937329261592520212124652104629584","83532349512340445367348917840690795910","68313856654078377990138734391823441398","328636351465844461494438230384155253952","307157957787089165024918271740728984199","45133534365406459624297946571179761858","252931485689532395321207047365435769336","172588051765744943962811035129757075597","29940063419156769373422268911285721917","26546083752878793403448824990421691421","158718382682830108003418315942791485728","74710955409693849829109896333886392822","67692343683348793288236057074106151110","8622398509724841161030410023430914496","264954842459983384211956171702327906167","113600596426960679420486221450650205456","84533248811516032045049487580607224602","217486193975422854174784694670079311774","133221540393983844828487014428315755345"]},"deprecated":false,"signature_version":"v1","target":{"file":"liboath/usersfile.c"},"id":"CVE-2024-47191-bb3e1ce2","source":"https://gitlab.com/oath-toolkit/oath-toolkit@3235a52f6b87cd1c5da6508f421ac261f5e33a70","signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47191.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}