CVE-2017-7488
CVSS V2 Medium 4
CVSS V3 Medium 4.3
Description
Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.
Overview
- CVE ID
- CVE-2017-7488
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2017-05-16T18:29:00
- Last Modified Date
- 2023-02-12T23:30:12
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:authconfig_project:authconfig:6.2.8:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:S/C:P/I:N/A:N
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- SINGLE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 4
- Severity
- MEDIUM
- Exploitability Score
- 8
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.0
- Vector String
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 4.3
- Base Severity
- MEDIUM
- Exploitability Score
- 2.8
- Impact Score
- 1.4
References
| Reference URL | Reference Tags |
|---|---|
| http://www.securityfocus.com/bid/101784 | |
| https://access.redhat.com/errata/RHSA-2017:2285 | |
| https://access.redhat.com/security/cve/CVE-2017-7488 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1441604 | Issue Tracking Patch Third Party Advisory VDB Entry |
| https://pagure.io/authconfig/c/0972f61ad4b5657ed89cf953e8f58f6513096224?branch=master | Patch Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2017-7488 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7488 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 18:51:28 | Added to TrackCVE | |||
| 2022-12-02 16:59:40 | 2017-05-16T18:29Z | 2017-05-16T18:29:00 | CVE Published Date | updated |
| 2022-12-02 16:59:40 | 2018-01-05T02:31:51 | CVE Modified Date | updated | |
| 2022-12-02 16:59:41 | Modified | Vulnerability Status | updated | |
| 2023-02-02 15:06:09 | 2023-02-02T14:16:54 | CVE Modified Date | updated | |
| 2023-02-02 15:06:09 | Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames. | A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack. | Description | updated |
| 2023-02-02 15:06:10 | References | updated | ||
| 2023-02-13 00:06:28 | 2023-02-12T23:30:12 | CVE Modified Date | updated | |
| 2023-02-13 00:06:29 | A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack. | Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames. | Description | updated |