CVE-2022-4254

Description

sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.08%• Percentile: 24%

Techniques & Countermeasures

• CWE-90•Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Affected Systems

• fedoraproject•sssd

  ≥ 1.15.3, < 2.3.1

• redhat•enterprise_linux

  8.0

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_for_ibm_z_systems

  7.0

• redhat•enterprise_linux_for_power_big_endian

  7.0

• redhat•enterprise_linux_for_power_little_endian

  7.0

• redhat•enterprise_linux_for_scientific_computing

  7.0

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_server_aus

  8.2

• redhat•enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions

  8.1 | 8.2

• redhat•enterprise_linux_server_tus

  8.2

• redhat•enterprise_linux_server_update_services_for_sap_solutions

  8.1

• redhat•enterprise_linux_workstation

  7.0

References (5)

• https://bugzilla.redhat.com/show_bug.cgi?id=2149894
• https://github.com/SSSD/sssd/issues/5135
• https://github.com/SSSD/sssd/commit/a2b9a84460429181f2a4fa7e2bb5ab49fd561274
• https://access.redhat.com/security/cve/CVE-2022-4254
• https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html