Impact
A path traversal flaw in the SSSD AD GPO provider allows an attacker who has GPO management access to write files outside the GPO cache directory as root. If SELinux is in enforcing mode, the injected files can contain a malicious Kerberos configuration, resulting in authentication bypass for any user that relies on those settings.
Affected Systems
The vulnerability is present in Red Hat Enterprise Linux 6, 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4, all of which rely on SSSD for Kerberos authentication and GPO processing. The specific product names are Red Hat Enterprise Linux 6, 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4.
Risk and Exploitability
With a CVSS score of 8, the flaw is considered high severity. No EPSS score is available, so the likelihood of exploitation remains uncertain. The flaw is not listed in CISA's KEV catalog, but it requires the attacker to have privileged GPO management rights – a role typically held by administrators or compromised domain accounts. On a default configuration with SELinux enforcing, an attacker who can write files as root can modify Kerberos settings and bypass authentication.
OpenCVE Enrichment