CVE-2020-27780

Published: 18 December 2020

A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Priority

High

CVSS 3 base score: 9.8

Status

Package Release Status
pam
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(debian: Only affects 1.5.0)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable