Published: 16 August 2021
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS 3 base score: 8.8
Launchpad, Ubuntu, Debian
|Ubuntu 21.10 (Impish Indri)||
|Ubuntu 21.04 (Hirsute Hippo)||
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 ESM (Xenial Xerus)||
(code not present)
|Ubuntu 14.04 ESM (Trusty Tahr)||
Does not exist
vulnerability was introduced in v1.13.91 by commit: https://github.com/SSSD/sssd/commit/e157b9f6cb370e1b94bcac2044d26ad66d640fba xenial/esm is not-affected as it is based on 1.13.4-1 and so, code affected is not present.