CVE-2018-10852

LOW

Debian Linux < 1.16.3 - Information Disclosure

Title source: rule
STIX 2.1

Description

The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1.16.3.

References (4)

Core 4
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00019.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10852
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3158
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104547

Scores

CVSS v3 3.8
EPSS 0.0152
EPSS Percentile 71.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (5)
debian/debian_linux 8.0
fedoraproject/sssd < 1.16.3
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_workstation 7.0
Published Jun 26, 2018
Tracked Since Feb 18, 2026