OpenSUSE Linux update for sssd

Published: 2019-01-14 09:33:10
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-10852
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software Opensuse
Vulnerable software versions Opensuse 42.3
Vendor URL Novell

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to too wide permissions in the UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD. A remote attacker can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user.

Remediation

Update the affected packages.

External links

https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00014.html

Back to List