CVE-2009-2410

The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
fedorahostedsssd
0.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
sssd
bullseye
2.4.1-2
fixed
bookworm
2.8.2-4
fixed
sid
2.9.5-3
fixed
Common Weakness Enumeration
References
http://secunia.com/advisories/36018
http://www.securityfocus.com/bid/35868
https://bugzilla.redhat.com/attachment.cgi?id=355424
https://bugzilla.redhat.com/show_bug.cgi?id=514057
https://exchange.xforce.ibmcloud.com/vulnerabilities/52210
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01236.html
http://secunia.com/advisories/36018
http://www.securityfocus.com/bid/35868
https://bugzilla.redhat.com/attachment.cgi?id=355424
https://bugzilla.redhat.com/show_bug.cgi?id=514057
https://exchange.xforce.ibmcloud.com/vulnerabilities/52210
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01236.html