CVE-2010-0014

CWE-287Improper Authentication8 documents7 sources
Severity
3.7LOW
EPSS
0.1%
top 67.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fedoraproject Sssd
Timeline
PublishedJan 14
Latest updateMay 2

Description

System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT.

CVSS vector

AV:L/AC:H/C:P/I:P/A:PExploitability: 1.9 | Impact: 6.4

Affected Packages2 packages

Debiansssd< 1.0.5-1+3
NVDfedoraproject/sssd1.0.0+14

Patches

Patch: fedorahosted.orgPatch: fedorahosted.org

🔴Vulnerability Details

3
GHSA
GHSA-fh23-xmjc-5cw7: System Security Services Daemon (SSSD) before 12022-05-02
OSV
CVE-2010-0014: System Security Services Daemon (SSSD) before 12010-01-14
CVEList
CVE-2010-0014: System Security Services Daemon (SSSD) before 12010-01-14

📋Vendor Advisories

2
Red Hat
SSSD accepts any password when offline with a valid TGT available2010-01-11
Debian
CVE-2010-0014: sssd - System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider...2010

💬Community

2
Bugzilla
CVE-2010-0014 SSSD accepts any password when offline with a valid TGT available2010-01-08
Bugzilla
CVE-2010-0014 SSSD accepts any password when offline with a valid TGT available2010-01-07
CVE-2010-0014 (LOW CVSS 3.7) | System Security Services Daemon (SS | cvebase.io