#VU14328 Information disclosure in System Security Services Daemon (SSSD) - CVE-2018-10852
Published: August 10, 2018 / Updated: August 13, 2018
Vulnerability identifier: #VU14328
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10852
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
System Security Services Daemon (SSSD)
System Security Services Daemon (SSSD)
Software vendor:
SSSD
SSSD
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to too wide permissions in the UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD. A remote attacker can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user.
Remediation
Update to version 1.16.3.