PT-2017-3848 · Red Hat+4 · Sssd+5

Published

2017-10-05

Updated

2024-06-15

CVE-2017-12173

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions sssd versions prior to 1.16.0

Description The issue is related to insufficient input validation in the sysdb search user by upn res() function of the sssd service, which manages access to remote directories and authentication mechanisms. This flaw can be exploited by a remote attacker to gain unauthorized access to protected information. In a centralized login environment, if a password hash is locally cached for a given user, an authenticated attacker could use this flaw to retrieve it.

Recommendations For versions prior to 1.16.0, update to version 1.16.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the local cache to minimize the risk of exploitation.

Fix

RCE

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-200

Related Identifiers

ALT-PU-2018-1423

BDU:2019-04067

CESA-2017_3379

CESA-2018_1877

CVE-2017-12173

MGASA-2017-0421

OPENSUSE-SU-2024:11408-1

RHSA-2017:3379

RHSA-2017_3379

RHSA-2018:1877

RHSA-2018_1877

SUSE-SU-2017:2937-1

SUSE-SU-2017_2937-1

USN-3526-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Ubuntu

Sssd

PT-2017-3848 · Red Hat+4 · Sssd+5

CVE-2017-12173

Weakness Enumeration

Related Identifiers

Affected Products

References · 27