#3549 CVE-2017-12173: Unsanitized input when searching in local cache database
Closed: Fixed 2 years ago Opened 2 years ago by jhrozek.

Summary: SSSD stores its cached data in an LDAP like local database
file using libldb. To lookup cached data LDAP search filters
like '(objectClass=user)(name=user_name)' are used. However, in
sysdb_search_user_by_upn_res(), the input is not sanitized and allows
to manipulate the search filter for cache lookups. This would allow
a logged in user to discover the password hash of a different user.

For more details, see: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/IKWCIYZ3E6ATZECU2SIWCJ22POSDTI2V/


and fix for removing dead code

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.4
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.0 (was: SSSD 1.15.4)

2 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1499659

2 years ago

Login to comment on this ticket.