CVE-2011-4966 - Vulnerability Details

modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Freeradius	Freeradius
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:freeradius:freeradius::::::::
	cpe:2.3:a:freeradius:freeradius::::::::
	cpe:2.3:a:freeradius:freeradius:0.1:::::::*
	cpe:2.3:a:freeradius:freeradius:0.2:::::::*
	cpe:2.3:a:freeradius:freeradius:0.3:::::::*
	cpe:2.3:a:freeradius:freeradius:0.4:::::::*
	cpe:2.3:a:freeradius:freeradius:0.5:::::::*
	cpe:2.3:a:freeradius:freeradius:0.6:::::::*
	cpe:2.3:a:freeradius:freeradius:0.7:::::::*
	cpe:2.3:a:freeradius:freeradius:0.7.1:::::::*
	cpe:2.3:a:freeradius:freeradius:0.8:::::::*
	cpe:2.3:a:freeradius:freeradius:0.8.1:::::::*
	cpe:2.3:a:freeradius:freeradius:0.9:::::::*
	cpe:2.3:a:freeradius:freeradius:0.9.0:::::::*
	cpe:2.3:a:freeradius:freeradius:0.9.1:::::::*
	cpe:2.3:a:freeradius:freeradius:0.9.2:::::::*
	cpe:2.3:a:freeradius:freeradius:0.9.3:::::::*
	cpe:2.3:a:freeradius:freeradius:1.0.0:::::::*
	cpe:2.3:a:freeradius:freeradius:1.0.1:::::::*
	cpe:2.3:a:freeradius:freeradius:1.0.2:::::::*
	cpe:2.3:a:freeradius:freeradius:1.0.3:::::::*
	cpe:2.3:a:freeradius:freeradius:1.0.4:::::::*
	cpe:2.3:a:freeradius:freeradius:1.0.5:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.0:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.1:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.2:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.3:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.4:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.5:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.6:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.7:::::::*
	cpe:2.3:a:freeradius:freeradius:1.1.8:::::::*
	cpe:2.3:a:freeradius:freeradius:2.0:::::::*
	cpe:2.3:a:freeradius:freeradius:2.0.1:::::::*
	cpe:2.3:a:freeradius:freeradius:2.0.2:::::::*
	cpe:2.3:a:freeradius:freeradius:2.0.3:::::::*
	cpe:2.3:a:freeradius:freeradius:2.0.4:::::::*
	cpe:2.3:a:freeradius:freeradius:2.0.5:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.0:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.1:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.2:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.3:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.4:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.6:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.7:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.8:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.9:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.10:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.11:::::::*
	cpe:2.3:a:freeradius:freeradius:2.1.12:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
freeradius2-0:2.1.12-5.el5	cpe:/o:redhat:enterprise_linux:5	RHSA-2013:0134	2013-01-08T00:00:00Z
Red Hat Enterprise Linux 6
freeradius-0:2.1.12-3.el6	cpe:/o:redhat:enterprise_linux:6	RHBA-2012:0881	2012-06-20T00:00:00Z

References

Link	Providers
http://lists.opensuse.org/opensuse-updates/2013-01/msg00029.html
http://lists.opensuse.org/opensuse-updates/2013-01/msg00079.html
http://rhn.redhat.com/errata/RHBA-2012-0881.html
http://rhn.redhat.com/errata/RHSA-2013-0134.html
https://github.com/alandekok/freeradius-server/commit/1b1ec5ce75e224bd1755650c18ccdaa6dc53e605
https://nvd.nist.gov/vuln/detail/CVE-2011-4966
https://www.cve.org/CVERecord?id=CVE-2011-4966

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-03-12T22:00:00Z

Updated: 2024-08-07T00:23:39.372Z

Reserved: 2011-12-23T00:00:00Z

Link: CVE-2011-4966

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-03-12T23:55:01.337

Modified: 2025-04-11T00:51:21.963

Link: CVE-2011-4966

Redhat

Severity : Low

Publid Date: 2011-11-14T00:00:00Z

Links: CVE-2011-4966 - Bugzilla

Metrics

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object