Jenny Severance

**Name of the Vulnerable Software and Affected Versions** sssd version 0.4.1 **Description** The issue arises from the `local handler callback` function in `server/responder/pam/pam LOCAL domain.c`, which does not properly handle blank-password accounts in the SSSD BE database. This allows attackers to obtain access by sending the account's username, along with an arbitrary password, over an ssh connection. **Recommendations** For sssd version 0.4.1, as a temporary workaround, consider disabling the `local handler callback` function until a patch is available. Restrict access to blank-password accounts in the SSSD BE database to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.