CVE-2018-16838
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 25 Mar 2019, 17:41
Last modified:13 Feb 2025, 16:27
Vulnerability Summary
Overall Risk (default)
low
22/100 CVSS Score
5.5 MEDIUM
v2.0 (nvd)
EPSS Score
1.08% LOW
1% probability -0.18%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
25 Mar 2019, 17:41
Published
Vulnerability first disclosed
13 Feb 2025, 16:27
Last Modified
Vulnerability information updated
Description
A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.
CVSS Metrics
- v3.0•MEDIUM•Score: 5.4CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- v2.0•MEDIUM•Score: 5.5AV:N/AC:L/Au:S/C:P/I:P/A:N
EPSS Trends
Current EPSS score: 1.08%• Percentile: 78%
Techniques & Countermeasures
- CWE-284•Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- CWE-269•Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Systems
- fedoraproject•sssd
na
- redhat•enterprise_linux
7.0
- [unknown]•sssd
n/a
References (7)
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16838
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00051.html
- https://access.redhat.com/errata/RHSA-2019:2177
- https://access.redhat.com/errata/RHSA-2019:2437
- https://access.redhat.com/errata/RHSA-2019:3651
- https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html