4.9 - CVE-2013-0287

Executive Summary

Informations
Name	CVE-2013-0287	First vendor Publication	2013-03-21
Vendor	Cve	Last vendor Modification	2013-05-15

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Cvss Base Score	4.9	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Medium
Cvss Expoit Score	6.8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0287

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20721

Oval ID:	oval:org.mitre.oval:def:20721
Title:	RHSA-2013:0663: sssd security and bug fix update (Moderate)
Description:	The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions.
Family:	unix	Class:	patch
Reference(s):	RHSA-2013:0663-01 CESA-2013:0663 CVE-2013-0287	Version:	4
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	sssd
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND CentOS Linux 6.x Packages section sssd-client is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac-python is earlier than 0:1.9.2-82.4.el6_4 AND libsss_sudo is earlier than 0:1.9.2-82.4.el6_4 AND sssd is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac is earlier than 0:1.9.2-82.4.el6_4 AND libsss_idmap is earlier than 0:1.9.2-82.4.el6_4 AND libsss_autofs is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac-devel is earlier than 0:1.9.2-82.4.el6_4 AND sssd-tools is earlier than 0:1.9.2-82.4.el6_4 AND libsss_idmap-devel is earlier than 0:1.9.2-82.4.el6_4 AND libsss_sudo-devel is earlier than 0:1.9.2-82.4.el6_4

Definition Id: oval:org.mitre.oval:def:24047

Oval ID:	oval:org.mitre.oval:def:24047
Title:	ELSA-2013:0663: sssd security and bug fix update (Moderate)
Description:	The Simple Access Provider in System Security Services Daemon (SSSD) 1.9.0 through 1.9.4, when the Active Directory provider is used, does not properly enforce the simple_deny_groups option, which allows remote authenticated users to bypass intended access restrictions.
Family:	unix	Class:	patch
Reference(s):	ELSA-2013:0663-01 CVE-2013-0287	Version:	6
Platform(s):	Oracle Linux 6	Product(s):	sssd
Definition Synopsis:
Oracle Linux 6.x rpm test sssd-client is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac-python is earlier than 0:1.9.2-82.4.el6_4 AND libsss_sudo is earlier than 0:1.9.2-82.4.el6_4 AND sssd is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac is earlier than 0:1.9.2-82.4.el6_4 AND libsss_idmap is earlier than 0:1.9.2-82.4.el6_4 AND libsss_autofs is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac-devel is earlier than 0:1.9.2-82.4.el6_4 AND sssd-tools is earlier than 0:1.9.2-82.4.el6_4 AND libsss_idmap-devel is earlier than 0:1.9.2-82.4.el6_4 AND libsss_sudo-devel is earlier than 0:1.9.2-82.4.el6_4

Definition Id: oval:org.mitre.oval:def:27145

Oval ID:	oval:org.mitre.oval:def:27145
Title:	DEPRECATED: ELSA-2013-0663 -- sssd security and bug fix update (moderate)
Description:	[1.9.2-82.4] - Resolves: rhbz#911298 - sssd: simple access provider flaw prevents intended ACL use when client to an AD provider [1.9.2-82.3] - Fix pwd_expiration_warning=0 - Resolves: rhbz#914671 - pwd_expiration_warning has wrong default for Kerberos [1.9.2-82.2] - Resolves: rhbz#914671 - pwd_expiration_warning has wrong default for Kerberos - Fix the NVR [1.9.2-82.1] - Resolves: rhbz#907362 - Serious performance regression in sssd
Family:	unix	Class:	patch
Reference(s):	ELSA-2013-0663 CVE-2013-0287	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	sssd
Definition Synopsis:
Oracle Linux 6.x Packages match section sssd is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac-devel is earlier than 0:1.9.2-82.4.el6_4 AND libipa_hbac-python is earlier than 0:1.9.2-82.4.el6_4 AND libsss_autofs is earlier than 0:1.9.2-82.4.el6_4 AND libsss_idmap is earlier than 0:1.9.2-82.4.el6_4 AND libsss_idmap-devel is earlier than 0:1.9.2-82.4.el6_4 AND libsss_sudo is earlier than 0:1.9.2-82.4.el6_4 AND libsss_sudo-devel is earlier than 0:1.9.2-82.4.el6_4 AND sssd-client is earlier than 0:1.9.2-82.4.el6_4 AND sssd-tools is earlier than 0:1.9.2-82.4.el6_4

CPE : Common Platform Enumeration

Type	Description	Count
Application	Fedoraproject Sssd cpe:2.3:a:fedoraproject:sssd:1.9.4:::::::* cpe:2.3:a:fedoraproject:sssd:1.9.3:::::::* cpe:2.3:a:fedoraproject:sssd:1.9.2:::::::* cpe:2.3:a:fedoraproject:sssd:1.9.1:::::::* cpe:2.3:a:fedoraproject:sssd:1.9.0:::::::*	5

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-264.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0663.nasl - Type : ACT_GATHER_INFO
2013-04-01	Name : The remote Fedora host is missing a security update. File : fedora_2013-4193.nasl - Type : ACT_GATHER_INFO
2013-03-21	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0663.nasl - Type : ACT_GATHER_INFO
2013-03-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0663.nasl - Type : ACT_GATHER_INFO
2013-03-20	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130319_sssd_on_SL6_x.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url
BID	http://www.securityfocus.com/bid/58593
CONFIRM	http://git.fedorahosted.org/cgit/sssd.git/patch/?id=26590d31f492dbbd36be6d0bd... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=6569d57e3bc168e6e83d70333... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=6837eee3f7f81c0ee454d3718... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=754b09b5444e6da88ed58d6de... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=7619be9f6bf649665fcbeee9e... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=8b8019fe3dd1564fba657e219... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=b63830b142053f99bfe954d4b... http://git.fedorahosted.org/cgit/sssd.git/patch/?id=c0bca1722d6f9dfb654ad7839...
MISC	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=910938
MLIST	https://lists.fedorahosted.org/pipermail/sssd-devel/2013-March/014066.html
REDHAT	http://rhn.redhat.com/errata/RHSA-2013-0663.html
SECTRACK	http://securitytracker.com/id?1028317
SECUNIA	http://secunia.com/advisories/52704 http://secunia.com/advisories/52722
SUSE	http://lists.opensuse.org/opensuse-updates/2013-03/msg00115.html

Alert History

If you want to see full details history, please login or register.

Date	Informations
2021-05-04 12:23:18	Multiple Updates
2021-04-22 01:27:50	Multiple Updates
2020-05-23 00:35:42	Multiple Updates
2016-04-26 22:40:25	Multiple Updates
2014-06-14 13:34:16	Multiple Updates
2014-02-17 11:15:32	Multiple Updates
2013-05-16 17:03:01	Multiple Updates
2013-05-10 22:28:04	Multiple Updates
2013-03-22 21:18:41	Multiple Updates
2013-03-21 21:18:32	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	5
Sources(s)	16
Nessus® Exploit(s)	6

	Related
4.9	RHSA-2013:0663
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

4.9 - CVE-2013-0287

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU