{"containers": {"cna": {"affected": [{"product": "authconfig", "vendor": "authconfig", "versions": [{"status": "affected", "version": "6.2.8"}]}], "datePublic": "2017-05-09T00:00:00", "descriptions": [{"lang": "en", "value": "Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames."}], "problemTypes": [{"descriptions": [{"description": "Information exposure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pagure.io/authconfig/c/0972f61ad4b5657ed89cf953e8f58f6513096224?branch=master"}, {"name": "101784", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101784"}, {"name": "RHSA-2017:2285", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2285"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441604"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:04:11.602Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pagure.io/authconfig/c/0972f61ad4b5657ed89cf953e8f58f6513096224?branch=master"}, {"name": "101784", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101784"}, {"name": "RHSA-2017:2285", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2285"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441604"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-7488", "datePublished": "2017-05-16T18:00:00", "dateReserved": "2017-04-05T00:00:00", "dateUpdated": "2024-08-05T16:04:11.602Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:authconfig_project:authconfig:6.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "53D1FEF4-323A-4A44-AB08-11E73C1C40E8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames."}, {"lang": "es", "value": "La versi\u00f3n 6.2.8 de Authconfig es vulnerable a una exposici\u00f3n de informaci\u00f3n cuando utiliza SSSD para autenticarse contra servidores remotos dando lugar a una fuga de informaci\u00f3n sobre nombres de usuario existentes."}], "id": "CVE-2017-7488", "lastModified": "2023-02-12T23:30:12.047", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-16T18:29:00.143", "references": [{"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/101784"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2285"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441604"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://pagure.io/authconfig/c/0972f61ad4b5657ed89cf953e8f58f6513096224?branch=master"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Thorsten Scherf (Red Hat) and Tomas Mraz (Red Hat).", "affected_release": [{"advisory": "RHSA-2017:2285", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "authconfig-0:6.2.8-30.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-01T00:00:00Z"}], "bugzilla": {"description": "authconfig: Information leak when SSSD is used for authentication against remote server", "id": "1441604", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441604"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.", "A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack."], "mitigation": {"lang": "en:us", "value": "Possible workaround (with side-effects):\nauthconfig --enablesysnetauth --update"}, "name": "CVE-2017-7488", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "authconfig", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "authconfig", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2017-05-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7488\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7488"], "threat_severity": "Moderate"}