CVE-2018-16838
First published: Thu Oct 18 2018(Updated: )
A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/sssd | <0:1.16.4-21.el7 | 0:1.16.4-21.el7 |
| redhat/sssd | <0:2.2.0-19.el8 | 0:2.2.0-19.el8 |
| redhat/imgbased | <0:1.1.9-0.1.el7e | 0:1.1.9-0.1.el7e |
| redhat/ovirt-node-ng | <0:4.3.5-0.20190717.0.el7e | 0:4.3.5-0.20190717.0.el7e |
| redhat/redhat-release-virtualization-host | <0:4.3.5-2.el7e | 0:4.3.5-2.el7e |
| redhat/redhat-virtualization-host | <0:4.3.5-20190722.0.el7_7 | 0:4.3.5-20190722.0.el7_7 |
| Fedoraproject Sssd | ||
| Redhat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00051.html
- https://access.redhat.com/errata/RHSA-2019:2177
- https://access.redhat.com/errata/RHSA-2019:2437
- https://access.redhat.com/errata/RHSA-2019:3651
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16838
- https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html
- https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175
- https://pagure.io/SSSD/sssd/issue/3867
- https://access.redhat.com/security/cve/cve-2018-16838
- https://bugzilla.redhat.com/show_bug.cgi?id=1640820
- https://www.cve.org/CVERecord?id=CVE-2018-16838 https://nvd.nist.gov/vuln/detail/CVE-2018-16838
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2018-16838?
CVE-2018-16838 is a vulnerability in the sssd Group Policy Objects implementation that allows all authenticated users to login when the GPO is not readable due to strict permission settings on the server side.
How severe is CVE-2018-16838?
CVE-2018-16838 has a severity rating of 5.4, which is considered medium.
Which software is affected by CVE-2018-16838?
The affected software includes sssd versions 1.16.4-21.el7 and 2.2.0-19.el8, imgbased version 1.1.9-0.1.el7e, ovirt-node-ng version 4.3.5-0.20190717.0.el7e, redhat-release-virtualization-host version 4.3.5-2.el7e, redhat-virtualization-host version 4.3.5-20190722.0.el7_7, Fedora Sssd, and Redhat Enterprise Linux 7.0.
How do I fix CVE-2018-16838?
To fix CVE-2018-16838, update your sssd package to version 1.16.4-21.el7 or 2.2.0-19.el8, or apply the appropriate remedy provided by your software vendor.
Where can I find more information about CVE-2018-16838?
You can find more information about CVE-2018-16838 on the following references: [1] (link to https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175), [2] (link to https://pagure.io/SSSD/sssd/issue/3867), and [3] (link to https://access.redhat.com/errata/RHSA-2019:2177).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-16838
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/fedoraproject
- canonical/fedoraproject sssd
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0