CVE-2020-24612 MEDIUM

CVE-2020-24612

Vendor N/A
Product n/a
Published August 24, 2020
Last update August 4, 2024

CVSS base score

6.7/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AC:H/AV:L/A:N/C:H/I:H/PR:N/S:U/UI:N

What the vulnerability does

01Description

An issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.

Key dates

02Disclosure timeline

August 24, 2020 CVE published
August 4, 2024 Record updated