CVE-2023-3758: Sssd: race condition during authorization leads to gpo policies functioning inconsistently
First published: Tue Jul 18 2023(Updated: )
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/sssd | <2.2.3-3ubuntu0.13 | 2.2.3-3ubuntu0.13 |
| ubuntu/sssd | <2.6.3-1ubuntu3.3 | 2.6.3-1ubuntu3.3 |
| ubuntu/sssd | <2.9.1-2ubuntu2.1 | 2.9.1-2ubuntu2.1 |
| ubuntu/sssd | <2.9.4-1.1ubuntu6.1 | 2.9.4-1.1ubuntu6.1 |
| ubuntu/sssd | <2.9.5-1 | 2.9.5-1 |
| debian/sssd | <=2.4.1-2<=2.8.2-4 | 2.9.5-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:1919
- https://access.redhat.com/errata/RHSA-2024:1920
- https://access.redhat.com/errata/RHSA-2024:1921
- https://access.redhat.com/errata/RHSA-2024:1922
- https://access.redhat.com/errata/RHSA-2024:2571
- https://access.redhat.com/errata/RHSA-2024:3270
- https://access.redhat.com/security/cve/CVE-2023-3758
- https://bugzilla.redhat.com/show_bug.cgi?id=2223762
- https://github.com/SSSD/sssd/pull/7302
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2222429
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2275905
- https://www.cve.org/CVERecord?id=CVE-2023-3758
- https://ubuntu.com/security/notices/USN-6836-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-3758
- https://launchpad.net/bugs/cve/CVE-2023-3758
- https://security-tracker.debian.org/tracker/CVE-2023-3758
- https://github.com/SSSD/sssd/commit/d7db7971682da2dbf7642ac94940d6b0577ec35a
- https://github.com/SSSD/sssd/commit/e1bfbc2493c4194988acc3b2413df3dde0735ae3
- https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726
- https://ubuntu.com/security/CVE-2023-3758
Frequently Asked Questions
What is the severity of CVE-2023-3758?
CVE-2023-3758 is classified as a medium severity vulnerability due to its potential for improper authorization issues.
How do I fix CVE-2023-3758?
To fix CVE-2023-3758, upgrade the sssd package to versions 2.2.3-3ubuntu0.13, 2.6.3-1ubuntu3.3, 2.9.1-2ubuntu2.1, 2.9.4-1.1ubuntu6.1, or 2.9.5-1 depending on your distribution.
What systems are affected by CVE-2023-3758?
CVE-2023-3758 affects various versions of the sssd package on Ubuntu and Debian systems.
What kind of vulnerability is CVE-2023-3758?
CVE-2023-3758 is a race condition vulnerability that affects the application of GPO policies in sssd.
What are the potential consequences of CVE-2023-3758?
The potential consequences of CVE-2023-3758 include unauthorized resource access due to inconsistent application of GPO policies.
- agent/first-publish-date
- agent/title
- agent/weakness
- agent/type
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3758
- collector/nvd-api
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- package-manager/ubuntu
- package-manager/debian