{
  "threat_severity" : "Low",
  "public_date" : "2018-06-26T00:00:00Z",
  "bugzilla" : {
    "description" : "sssd: information leak from the sssd-sudo responder",
    "id" : "1588810",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1588810"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1.16.3.", "The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD utilizes too broad of a set of permissions. Any user who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user." ],
  "statement" : "Red Hat Satellite since version 6.4 uses sssd from the Red Hat Enterprise Linux repositories, where this vulnerability is fixed.",
  "acknowledgement" : "This issue was discovered by Jakub Hrozek (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2018-10-30T00:00:00Z",
    "advisory" : "RHSA-2018:3158",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "sssd-0:1.16.2-13.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "sssd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "sssd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "sssd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "sssd",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-10852\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10852\nhttps://pagure.io/SSSD/sssd/issue/3766" ],
  "name" : "CVE-2018-10852",
  "csaw" : false
}