{ "threat_severity" : "Important", "public_date" : "2025-06-17T00:00:00Z", "bugzilla" : { "description" : "linux-pam: Linux-pam directory Traversal", "id" : "2372512", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2372512" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.", "A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions." ], "statement" : "This vulnerability in pam_namespace marked as Important rather than Moderate due to its direct impact on privilege boundaries and the ease of exploitation in common configurations. By leveraging symlink attacks or race conditions in polyinstantiated directories under their control, unprivileged local users can escalate to root, compromising the entire system. Since pam_namespace is often used in multi-user environments (e.g., shared systems, terminal servers, containers), a misconfigured or partially protected setup becomes a single point of failure. The attack does not require special capabilities or kernel-level exploits—just timing and control over certain paths—making it both reliable and low-barrier. Moreover, privilege escalation flaws like this can be chained with other vulnerabilities to persist or evade detection, further amplifying the risk.", "acknowledgement" : "Red Hat would like to thank Olivier BAL-PETRE (ANSSI - French Cybersecurity Agency) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20181", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "pam-0:1.6.1-8.el10" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22019", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "pam-0:1.6.1-8.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10357", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "pam-0:1.1.8-23.el7_9.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10027", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "pam-0:1.3.1-37.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-26T00:00:00Z", "advisory" : "RHSA-2025:14557", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "pam-0:1.3.1-38.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10362", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "pam-0:1.3.1-8.el8_2.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10361", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "pam-0:1.3.1-14.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10359", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "pam-0:1.3.1-16.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10359", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "pam-0:1.3.1-16.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10359", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "pam-0:1.3.1-16.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10358", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "pam-0:1.3.1-26.el8_8.1" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10358", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "pam-0:1.3.1-26.el8_8.1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-03T00:00:00Z", "advisory" : "RHSA-2025:15099", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "pam-0:1.5.1-26.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9526", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "pam-0:1.5.1-25.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-03T00:00:00Z", "advisory" : "RHSA-2025:15099", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "pam-0:1.5.1-26.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-06-24T00:00:00Z", "advisory" : "RHSA-2025:9526", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "pam-0:1.5.1-25.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10354", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "pam-0:1.5.1-9.el9_0.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-02T00:00:00Z", "advisory" : "RHSA-2025:10180", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "pam-0:1.5.1-15.el9_2.1" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10024", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "pam-0:1.5.1-24.el9_4" }, { "product_name" : "Red Hat Web Terminal 1.11 on RHEL 9", "release_date" : "2025-09-15T00:00:00Z", "advisory" : "RHSA-2025:15828", "cpe" : "cpe:/a:redhat:webterminal:1.11::el9", "package" : "web-terminal/web-terminal-rhel9-operator:1.11-19" }, { "product_name" : "Red Hat Web Terminal 1.11 on RHEL 9", "release_date" : "2025-09-15T00:00:00Z", "advisory" : "RHSA-2025:15828", "cpe" : "cpe:/a:redhat:webterminal:1.11::el9", "package" : "web-terminal/web-terminal-tooling-rhel9:1.11-8" }, { "product_name" : "Red Hat Web Terminal 1.12 on RHEL 9", "release_date" : "2025-09-15T00:00:00Z", "advisory" : "RHSA-2025:15827", "cpe" : "cpe:/a:redhat:webterminal:1.12::el9", "package" : "web-terminal/web-terminal-tooling-rhel9:1.12-4" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-businesscentral-monitoring-rhel8:7.13.5-4.1752066672" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-businesscentral-rhel8:7.13.5-4.1752065732" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-controller-rhel8:7.13.5-4.1752065732" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-dashbuilder-rhel8:7.13.5-3.1752065737" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kieserver-rhel8:7.13.5-4.1752065731" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-operator-bundle:7.13.5-25" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-process-migration-rhel8:7.13.5-4.1752065736" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-rhel8-operator:7.13.5-2.1752065733" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11386", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-smartrouter-rhel8:7.13.5-4.1752065755" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-db-migrator-tool-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.36.0-10" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.36.0-10" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.36.0-4" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-management-console-rhel8:1.36.0-9" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-operator-bundle:1.36.0-12" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-rhel8-operator:1.36.0-18" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.36.0-11" }, { "product_name" : "RHOSS-1.36-RHEL-8", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0934", "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8", "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.36.0-7" }, { "product_name" : "cert-manager operator for Red Hat OpenShift 1.16", "release_date" : "2025-10-16T00:00:00Z", "advisory" : "RHSA-2025:18219", "cpe" : "cpe:/a:redhat:cert_manager:1.16::el9", "package" : "cert-manager/jetstack-cert-manager-rhel9:sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b" }, { "product_name" : "Compliance Operator 1", "release_date" : "2025-11-20T00:00:00Z", "advisory" : "RHSA-2025:21885", "cpe" : "cpe:/a:redhat:openshift_compliance_operator:1::el9", "package" : "compliance/openshift-compliance-openscap-rhel8:sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11487", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-server-rhel9:sha256:bd9cb502def3153c193713b56372694cb555a71b38d4fc0fd9d021bccc5602de" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2025-09-23T00:00:00Z", "advisory" : "RHSA-2025:16524", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-server-rhel9:sha256:1c67d8d526ab4f2854947f7dccd8752a2efd414c0f1cbab17706fa91147e7cda" }, { "product_name" : "Red Hat Insights proxy 1.5", "release_date" : "2025-10-01T00:00:00Z", "advisory" : "RHSA-2025:17181", "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9", "package" : "insights-proxy/insights-proxy-container-rhel9:sha256:4ca38b33efec0d2dd17a8fd822a7c18281810676ceabb0c1db90953cb91cd5ea" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10735", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/opentelemetry-collector-rhel8:sha256:1faa5daf085b0844740653d96711b3fcfa766a77224fb523335d877b8e314b57" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10735", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/opentelemetry-rhel8-operator:sha256:39378c1e705973edca5f52f422b5c3693aaf5d2f22fb320d7676086b2cf846ba" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-09T00:00:00Z", "advisory" : "RHSA-2025:10735", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/opentelemetry-target-allocator-rhel8:sha256:18ca3c44f6f25cbfe67842a0b2c9491a8247a64dbd166f188dccf0a84cfd3e67" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10823", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/tempo-gateway-opa-rhel8:sha256:34851d4dd94a887b27d0937a1238d09ac370b4ec06382fe880796dac86c4aa3e" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10823", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/tempo-gateway-rhel8:sha256:3d281c9d7fe151c35605aac57a95fec699d20ecea6f4a5ea5b8cdc26a8808695" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10823", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/tempo-jaeger-query-rhel8:sha256:2a37885dbd9735167854119a546f9ce1b37454a2b57d283fbd8da890c01db767" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10823", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/tempo-query-rhel8:sha256:8f2da1e0fc45a36cffbe91f9a1c4449eb0c71671865b7194951ad727c9f7b064" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10823", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/tempo-rhel8:sha256:1feaee0df48953c919df3ceb2dde3aa10345e69c0b1a7186a8a0fd6ab9b300f6" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.6.0", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10823", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.6::el8", "package" : "rhosdt/tempo-rhel8-operator:sha256:54c5403a8a9e0300233e75a04318013e9dbe3d894be691927d27dc2fe53fddc0" }, { "product_name" : "Red Hat OpenShift sandboxed containers 1.1", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15709", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1.10::el9", "package" : "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9:sha256:24722900db1425bf0c27f6ad6f3fb7d79ff9ebc433bdab58423fa71bab76122b" }, { "product_name" : "Red Hat OpenShift sandboxed containers 1.1", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15709", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1.10::el9", "package" : "openshift-sandboxed-containers/osc-monitor-rhel9:sha256:9ff002e628e5646b5ab3cc9201087847bea29569b4a1bc135b89d5c1a5f0a422" }, { "product_name" : "Red Hat OpenShift sandboxed containers 1.1", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15709", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1.10::el9", "package" : "openshift-sandboxed-containers/osc-podvm-builder-rhel9:sha256:8f29671308ca658e32e97d5c3b482f7541aae1bca1b71f39b3276a9a334d8108" }, { "product_name" : "Red Hat OpenShift sandboxed containers 1.1", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15709", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1.10::el9", "package" : "openshift-sandboxed-containers/osc-podvm-payload-rhel9:sha256:59fb1f7f1653361d94f7d48b42d8fe19ed3263c1c78654837c11f2135544c1ac" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-6020\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6020\nhttps://github.com/linux-pam/linux-pam/security/advisories/GHSA-f9p8-gjr4-j9gx" ], "name" : "CVE-2025-6020", "mitigation" : { "value" : "Disable the `pam_namespace` module if it is not essential for your environment, or carefully review and configure it to avoid operating on any directories or paths that can be influenced or controlled by unprivileged users, such as user home directories or world-writable locations like `/tmp`.", "lang" : "en:us" }, "csaw" : false }