GCVE - cpe:2.3:a:yubico:pam-u2f:1.0.7:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:yubico:pam-u2f:1.0.7:*:*:*:*:*:*:*

part: a version: 1.0.7 update: *

Vendor	Yubico (`f47f12e0-b4db-5ed2-80cf-70347f747b11`)
Product	Pam U2F (`028cb388-24be-560f-a695-6aedc0dee4c3`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/pam-u2f`	purl2cpe	2026-06-01 10:13:15.745108
`pkg:deb/ubuntu/pam-u2f`	purl2cpe	2026-06-01 10:13:15.745109
`pkg:github/yubico/pam-u2f`	purl2cpe	2026-06-01 10:13:15.745110
`pkg:rpm/fedora/pam-u2f`	purl2cpe	2026-06-01 10:13:15.745112

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2019-12210`	vulnerable	2026-06-03 14:39:34.415623	Details available In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation. Published: 2019-06-04T20:28:51.000Z Updated: 2024-08-04T23:17:38.208Z Open on db.gcve.eu Reference links https://developers.yubico.com/pam-u2f/Release_Notes.html https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 http://www.openwall.com/lists/oss-security/2019/06/05/1 http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-12209`	vulnerable	2026-06-03 14:39:34.415134	Details available Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information. Published: 2019-06-04T20:26:55.000Z Updated: 2024-08-04T23:17:38.129Z Open on db.gcve.eu Reference links https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 https://developers.yubico.com/pam-u2f/Release_Notes.html http://www.openwall.com/lists/oss-security/2019/06/05/1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/ http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.