{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-23013", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-03T10:03:09.695Z", "dateReserved": "2025-01-09T00:00:00.000Z", "datePublished": "2025-01-15T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "pam-u2f", "vendor": "Yubico", "versions": [{"lessThan": "1.3.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-394", "description": "CWE-394 Unexpected Status Code or Return Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-15T03:56:38.534Z"}, "references": [{"url": "https://www.yubico.com/support/security-advisories/ysa-2025-01/"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yubico:pam-u2f:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.1"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/01/15/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/2"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/3"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/4"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/5"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-03T10:03:09.695Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-15T14:51:01.272240Z", "id": "CVE-2025-23013", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-15T14:51:14.757Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/01/15/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/2"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/3"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/4"}, {"url": "http://www.openwall.com/lists/oss-security/2025/01/16/5"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-02-03T10:03:09.695Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-15T14:51:01.272240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-15T14:51:05.467Z"}}], "cna": {"metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Yubico", "product": "pam-u2f", "versions": [{"status": "affected", "version": "0", "lessThan": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.yubico.com/support/security-advisories/ysa-2025-01/"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-394", "description": "CWE-394 Unexpected Status Code or Return Value"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yubico:pam-u2f:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.3.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-15T03:56:38.534Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23013", "state": "PUBLISHED", "dateUpdated": "2025-02-03T10:03:09.695Z", "dateReserved": "2025-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-01-15T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password."}, {"lang": "es", "value": "En Yubico pam-u2f anterior a la versi\u00f3n 1.3.1, a veces puede producirse una escalada de privilegios locales. Este producto implementa un m\u00f3dulo de autenticaci\u00f3n conectable (PAM) que se puede implementar para admitir la autenticaci\u00f3n mediante una YubiKey u otros autenticadores compatibles con FIDO en macOS o Linux. Este paquete de software tiene un problema que permite omitir la autenticaci\u00f3n en algunas configuraciones. Un atacante necesitar\u00eda poder acceder al sistema como un usuario sin privilegios. Seg\u00fan la configuraci\u00f3n, el atacante tambi\u00e9n podr\u00eda necesitar saber la contrase\u00f1a del usuario."}], "id": "CVE-2025-23013", "lastModified": "2025-02-03T10:15:09.250", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-01-15T04:15:20.037", "references": [{"source": "cve@mitre.org", "url": "https://www.yubico.com/support/security-advisories/ysa-2025-01/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/01/15/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/01/16/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/01/16/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/01/16/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/01/16/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00001.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-394"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"created": "2025-07-12T15:26:18.471864+00:00", "updated": "2025-07-12T15:26:18.471921+00:00", "vendors": ["yubico", "yubico$PRODUCT$pam-u2f"]}