CVE-2014-9278

Summary

CVE	CVE-2014-9278
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-12-06 15:59:00 UTC
Updated	2017-09-08 01:29:00 UTC
Description	The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.

Risk And Classification

Problem Types: CWE-287

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openbsd	Openssh	-	All	All	All
Application	Openbsd	Openssh	-	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Fedora	7	All	All	All
Operating System	Redhat	Fedora	7	All	All	All

References

Reference	Source	Link	Tags
oss-security - CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)	MLIST	www.openwall.com
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
Gmane Loom	MISC	thread.gmane.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Portable OpenSSH 'gss-serv-krb5.c' Security Bypass Vulnerability	BID	www.securityfocus.com
Bug 1169843 – CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login	CONFIRM	bugzilla.redhat.com
oss-security - Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)	MLIST	www.openwall.com
Bug 1867 – add support for ~/.kusers ala ksu(1)	CONFIRM	bugzilla.mindrot.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.