Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-16883

Опубликовано: 19 дек. 2018
Источник: redhat
CVSS3: 2.5
EPSS Низкий

Описание

sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.

sssd, versions 1.13.0 to before 2.0.0, did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. Sensitive information could be inadvertently disclosed to local attackers if it was stored in the user directory.

Отчет

The information exposed by this vulnerability is typically not highly sensitive. By default, it is only those fields returned by getpwent() and getgrent().

Меры по смягчению последствий

This vulnerability is only exposed if the infopipe service is enabled (enabled by default in Red Hat Enterprise Linux 7, disabled by default in Red Hat Enterprise Linux 6), and [ifp].allowed_uids is relied upon to protect sensitive information in the user directory.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5sssdNot affected
Red Hat Enterprise Linux 6sssdWill not fix
Red Hat Enterprise Linux 7sssdFix deferred
Red Hat Enterprise Linux 8sssdNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1659862sssd: Information leak in infopipe due to an improper uid restriction

EPSS

Процентиль: 32%
0.00126
Низкий

2.5 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-16883

CVSS3: 2.5
ubuntu
около 7 лет назад

sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.

nvd логотип

CVE-2018-16883

CVSS3: 2.5
nvd
около 7 лет назад

sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.

debian логотип

CVE-2018-16883

CVSS3: 2.5
debian
около 7 лет назад

sssd versions from 1.13.0 to before 2.0.0 did not properly restrict ac ...

github логотип

GHSA-4qf7-r2vx-jf49

CVSS3: 5.5
github
больше 3 лет назад

sssd versions from 1.13.0 to before 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.

EPSS

Процентиль: 32%
0.00126
Низкий

2.5 Low

CVSS3