CVE-2018-16838 — Improper Access Control in Sssd

CWE-284 — Improper Access Control CWE-269 — Improper Privilege Management8 documents7 sources

Severity

5.4MEDIUMNVD

OSV7.5

EPSS

0.9%

top 24.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Sssd Debian Sssd Redhat Enterprise Linux

Timeline

PublishedMar 25

Latest updateMay 13

Description

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶debiandebian/sssd< sssd 2.2.0-1 (bookworm)

▶Debianfedoraproject/sssd< 2.2.0-1+3

▶Ubuntufedoraproject/sssd< 1.16.1-1ubuntu1.8+1

Also affects: Enterprise Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-h2vj-4wwx-54q4: A flaw was found in sssd Group Policy Objects implementation↗2022-05-13

▶

OSV

sssd vulnerabilities↗2021-09-08

▶

OSV

CVE-2018-16838: A flaw was found in sssd Group Policy Objects implementation↗2019-03-25

▶

📋Vendor Advisories

Ubuntu

SSSD vulnerabilities↗2021-09-08

▶

Red Hat

sssd: improper implementation of GPOs due to too restrictive permissions↗2019-02-04

▶

Debian

CVE-2018-16838: sssd - A flaw was found in sssd Group Policy Objects implementation. When the GPO is no...↗2018

▶

💬Community

Bugzilla

CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions↗2018-10-18

▶