{
  "threat_severity" : "Moderate",
  "public_date" : "2017-05-09T00:00:00Z",
  "bugzilla" : {
    "description" : "authconfig: Information leak when SSSD is used for authentication against remote server",
    "id" : "1441604",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1441604"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.", "A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack." ],
  "acknowledgement" : "This issue was discovered by Thorsten Scherf (Red Hat) and Tomas Mraz (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-01T00:00:00Z",
    "advisory" : "RHSA-2017:2285",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "authconfig-0:6.2.8-30.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "authconfig",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "authconfig",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-7488\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7488" ],
  "name" : "CVE-2017-7488",
  "mitigation" : {
    "value" : "Possible workaround (with side-effects):\nauthconfig --enablesysnetauth --update",
    "lang" : "en:us"
  },
  "csaw" : false
}