{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-11T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-05T22:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:2355", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2355.html"}, {"name": "RHSA-2015:2019", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2019.html"}, {"name": "[sssd-users] 20151021 A security bug in SSSD 1.10 and later (CVE-2015-5292)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://permalink.gmane.org/gmane.linux.redhat.sssd.user/3422"}, {"name": "1034038", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034038"}, {"name": "77529", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/77529"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch"}, {"name": "FEDORA-2015-cdea5324a8", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169613.html"}, {"name": "FEDORA-2015-202c127199", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169110.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267580"}, {"name": "FEDORA-2015-7b47df69d3", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169597.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://fedorahosted.org/sssd/ticket/2803"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:09.410Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:2355", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2355.html"}, {"name": "RHSA-2015:2019", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2019.html"}, {"name": "[sssd-users] 20151021 A security bug in SSSD 1.10 and later (CVE-2015-5292)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://permalink.gmane.org/gmane.linux.redhat.sssd.user/3422"}, {"name": "1034038", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034038"}, {"name": "77529", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/77529"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch"}, {"name": "FEDORA-2015-cdea5324a8", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169613.html"}, {"name": "FEDORA-2015-202c127199", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169110.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267580"}, {"name": "FEDORA-2015-7b47df69d3", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169597.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fedorahosted.org/sssd/ticket/2803"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5292", "datePublished": "2015-10-29T16:00:00.000Z", "dateReserved": "2015-07-01T00:00:00.000Z", "dateUpdated": "2024-08-06T06:41:09.410Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedoraproject:sssd:1.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "5AFCDECF-26E1-4B23-A91D-F8DD668DF32A", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "B1590881-C44A-446E-BAF6-5CE59DAF6A66", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "C32B676B-97B6-48AA-BE8D-743FE52B4438", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "E963CF03-E0DC-4BEE-AAE3-DF09B2F57767", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "0968753D-BA33-4D0B-849C-FC9B7EBDC70D", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.3:*:*:*:*:*:*:*", "matchCriteriaId": "3B96047C-CA3E-4708-8EB3-F33CD0BE0FE9", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.4:*:*:*:*:*:*:*", "matchCriteriaId": "FFAD8539-1CEC-454E-BA68-8D8B6033751E", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.5:*:*:*:*:*:*:*", "matchCriteriaId": "81824ADB-8797-45B0-9B83-953F899A00D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.6:*:*:*:*:*:*:*", "matchCriteriaId": "1890E09D-3AD6-4C46-AD2F-C89DCC436C02", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.11.7:*:*:*:*:*:*:*", "matchCriteriaId": "8041D271-F9DF-452F-BC4E-9F69B4A0F3A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "2783866D-0DE2-4E92-90CB-53DA9B914A21", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "2C7D641D-E018-4EC1-9416-5C788C9F1107", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "4C81F4DF-4190-4D9B-8C1B-CD51B4678B93", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.12.3:*:*:*:*:*:*:*", "matchCriteriaId": "F52B44E7-71AB-4028-B9A3-E80508EF0AE7", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.12.4:*:*:*:*:*:*:*", "matchCriteriaId": "68D7CEC8-8D38-451D-B9C3-A68224125906", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.12.5:*:*:*:*:*:*:*", "matchCriteriaId": "09EAA45E-0F9E-4E04-BB81-C91E3357B030", "vulnerable": true}, {"criteria": "cpe:2.3:a:fedoraproject:sssd:1.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "9E3A3029-5612-47C4-8F32-0209F4733AF7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication."}, {"lang": "es", "value": "Fuga de memoria en el plugin en Privilege Attribute Certificate (PAC) responder (sssd_pac_plugin.so) en System Security Services Daemon (SSSD) 1.10 en versiones anteriores a 1.13.1 permite a usuarios remotos autenticados provocar una denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de un gran n\u00famero de logins que desencadenan an\u00e1lisis gramaticales de blobs de PAC durante la autenticaci\u00f3n Kerberos."}], "id": "CVE-2015-5292", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-10-29T16:59:00.117", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169110.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169597.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169613.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://permalink.gmane.org/gmane.linux.redhat.sssd.user/3422"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-2019.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-2355.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/77529"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1034038"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267580"}, {"source": "secalert@redhat.com", "url": "https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch"}, {"source": "secalert@redhat.com", "url": "https://fedorahosted.org/sssd/ticket/2803"}, {"source": "secalert@redhat.com", "url": "https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169110.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169597.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169613.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://permalink.gmane.org/gmane.linux.redhat.sssd.user/3422"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-2019.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2015-2355.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/77529"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034038"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267580"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://fedorahosted.org/sssd/ticket/2803"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-399"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:2019", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "sssd-0:1.12.4-47.el6_7.4", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-11-10T00:00:00Z"}, {"advisory": "RHSA-2015:2355", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "sssd-0:1.13.0-40.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}], "bugzilla": {"description": "sssd: memory leak in the sssd_pac_plugin", "id": "1267580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1267580"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:N/AC:H/Au:S/C:N/I:N/A:P", "status": "verified"}, "cwe": "CWE-401", "details": ["Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication.", "It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2015-5292", "package_state": [{"cpe": "cpe:/a:cloudforms_managementengine:5.3", "fix_state": "Will not fix", "package_name": "sssd", "product_name": "CloudForms Management Engine 5.3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "sssd", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "sssd", "product_name": "Red Hat Satellite 6"}], "public_date": "2015-09-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5292\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5292"], "threat_severity": "Low"}

{}