GCVE - cpe:2.3:a:nongnu:oath_toolkit:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:nongnu:oath_toolkit:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Nongnu (`2a4ff73f-605f-5ecb-9f22-a9e82e6c3477`)
Product	Oath Toolkit (`aec54abe-baf8-59bf-9dc1-86f079878789`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211061
`pkg:deb/ubuntu/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211064
`pkg:github/dimitripapadopoulos/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211067
`pkg:github/malept/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211069
`pkg:github/paulyc/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211072
`pkg:gnu/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211075
`pkg:rpm/fedora/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211078
`pkg:rpm/opensuse/oath-toolkit`	purl2cpe	2026-06-01 10:12:38.211080

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-47191`	vulnerable	2026-06-08 06:48:11.565368	Details available pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. Published: 2024-10-09T00:00:00.000Z Updated: 2024-10-18T03:08:08.622Z Open on db.gcve.eu Reference links https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43 https://www.openwall.com/lists/oss-security/2024/10/04/2 https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191 https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/60d9902b5c20f27e70f8e9c816bfdc0467567e1a	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-7322`	vulnerable	2026-06-08 05:05:09.745329	Details available usersfile.c in liboath in OATH Toolkit before 2.4.1 does not properly handle lines containing an invalid one-time-password (OTP) type and a user name in /etc/users.oath, which causes the wrong line to be updated when invalidating an OTP and allows context-dependent attackers to conduct replay attacks, as demonstrated by a commented out line when using libpam-oath. Published: 2014-03-07T20:00:00.000Z Updated: 2024-08-06T18:01:20.390Z Open on db.gcve.eu Reference links http://seclists.org/oss-sec/2014/q1/296 http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00003.html http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html https://exchange.xforce.ibmcloud.com/vulnerabilities/91316 http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00002.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.