{
  "threat_severity" : "Important",
  "public_date" : "2024-10-04T00:00:00Z",
  "bugzilla" : {
    "description" : "oath-toolkit: Local root exploit in a PAM module",
    "id" : "2316488",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2316488"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.", "A vulnerability was found in a PAM module, the oath-toolkit. The module gained a feature that allowed placing the OTP state file, called the usersfile, in the home directory of the to-be-authenticated user. The PAM module performed unsafe file operations in the users' home directories. Since PAM stacks typically run as root, this flaw allows a malicious user to jeopardize an environment." ],
  "statement" : "This vulnerability is rated Important rather than Moderate due to its potential for full privilege escalation without requiring complex attack vectors. The flaw in the `pam_oath.so` module allows unprivileged users to manipulate file operations within their home directories to exploit symlink attacks, enabling them to overwrite critical system files, such as `/etc/shadow`, with root-level privileges. Since PAM stacks typically run as root, this exploitation does not involve race conditions or reliance on environmental factors, making the attack straightforward and highly impactful.\nCeph uses an affected oath-toolkit version. However, it does not use the affected methods and it is not vulnerable to this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ceph Storage 6.1",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4238",
    "cpe" : "cpe:/a:redhat:ceph_storage:6.1::el8",
    "package" : "ceph-2:17.2.6-277.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 6.1",
    "release_date" : "2025-04-28T00:00:00Z",
    "advisory" : "RHSA-2025:4238",
    "cpe" : "cpe:/a:redhat:ceph_storage:6.1::el8",
    "package" : "oath-toolkit-0:2.6.12-1.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 7.1",
    "release_date" : "2025-05-07T00:00:00Z",
    "advisory" : "RHSA-2025:4664",
    "cpe" : "cpe:/a:redhat:ceph_storage:7.1::el8",
    "package" : "ceph-2:18.2.1-329.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 7.1",
    "release_date" : "2025-05-07T00:00:00Z",
    "advisory" : "RHSA-2025:4664",
    "cpe" : "cpe:/a:redhat:ceph_storage:7.1::el8",
    "package" : "oath-toolkit-0:2.6.12-1.el8cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8.0",
    "release_date" : "2025-04-07T00:00:00Z",
    "advisory" : "RHSA-2025:3635",
    "cpe" : "cpe:/a:redhat:ceph_storage:8.0::el9",
    "package" : "ceph-2:19.2.0-124.el9cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8.0",
    "release_date" : "2025-04-07T00:00:00Z",
    "advisory" : "RHSA-2025:3635",
    "cpe" : "cpe:/a:redhat:ceph_storage:8.0::el9",
    "package" : "oath-toolkit-0:2.6.12-1.el9cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8.1",
    "release_date" : "2025-06-26T00:00:00Z",
    "advisory" : "RHSA-2025:9775",
    "cpe" : "cpe:/a:redhat:ceph_storage:8.1::el9",
    "package" : "ceph-2:19.2.1-222.el9cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8.1",
    "release_date" : "2025-06-26T00:00:00Z",
    "advisory" : "RHSA-2025:9775",
    "cpe" : "cpe:/a:redhat:ceph_storage:8.1::el9",
    "package" : "cephadm-ansible-1:4.1.4-1.el9cp"
  }, {
    "product_name" : "Red Hat Ceph Storage 8.1",
    "release_date" : "2025-06-26T00:00:00Z",
    "advisory" : "RHSA-2025:9775",
    "cpe" : "cpe:/a:redhat:ceph_storage:8.1::el9",
    "package" : "oath-toolkit-0:2.6.12-1.el9cp"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Out of support scope",
    "package_name" : "oath-toolkit",
    "cpe" : "cpe:/a:redhat:ceph_storage:4"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Affected",
    "package_name" : "oath-toolkit",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Affected",
    "package_name" : "oath-toolkit",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47191\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47191" ],
  "name" : "CVE-2024-47191",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}