Descriptionusersfile.c in liboath in OATH Toolkit before 2.4.1 does not properly handle lines containing an invalid one-time-password (OTP) type and a user name in /etc/users.oath, which causes the wrong line to be updated when invalidating an OTP and allows context-dependent attackers to conduct replay attacks, as demonstrated by a commented out line when using libpam-oath.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
|National Vulnerability Database|
List of released packages
|Product(s)||Fixed package version(s)||References|
|SUSE Linux Enterprise Module for Basesystem 15 SP1|| |
|SUSE Linux Enterprise Module for Basesystem 15|| |
|SUSE Linux Enterprise Workstation Extension 15 |
SUSE Linux Enterprise Workstation Extension 15 SP1
|openSUSE Leap 15.0|| ||Patchnames:
openSUSE Leap 15.0 GA libpskc0