CVE-2015-5292

Summary

CVE	CVE-2015-5292
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2015-10-29 16:59:00 UTC
Updated	2026-05-06 22:30:45 UTC
Description	Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication.

Risk And Classification

Primary CVSS: v2.0 6.8 from [email protected]

AV:N/AC:L/Au:S/C:N/I:N/A:C

Problem Types: CWE-399 | n/a

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

AV:N/AC:L/Au:S/C:N/I:N/A:C

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Fedoraproject	Sssd	1.10.0	All	All	All
Application	Fedoraproject	Sssd	1.10.1	All	All	All
Application	Fedoraproject	Sssd	1.11.0	All	All	All
Application	Fedoraproject	Sssd	1.11.1	All	All	All
Application	Fedoraproject	Sssd	1.11.2	All	All	All
Application	Fedoraproject	Sssd	1.11.3	All	All	All
Application	Fedoraproject	Sssd	1.11.4	All	All	All
Application	Fedoraproject	Sssd	1.11.5	All	All	All
Application	Fedoraproject	Sssd	1.11.6	All	All	All
Application	Fedoraproject	Sssd	1.11.7	All	All	All
Application	Fedoraproject	Sssd	1.12.0	All	All	All
Application	Fedoraproject	Sssd	1.12.1	All	All	All
Application	Fedoraproject	Sssd	1.12.2	All	All	All
Application	Fedoraproject	Sssd	1.12.3	All	All	All
Application	Fedoraproject	Sssd	1.12.4	All	All	All
Application	Fedoraproject	Sssd	1.12.5	All	All	All
Application	Fedoraproject	Sssd	1.13.0	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

References

Reference	Source	Link	Tags
permalink.gmane.org \| 522: Connection timed out	af854a3a-2127-422b-91ae-364da2661108	permalink.gmane.org	Vendor Advisory
SSSD 'sss_client/sssd_pac.c' Denial of Service Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com
[SECURITY] Fedora 23 Update: sssd-1.13.1-2.fc23	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	rhn.redhat.com
System Security Services Daemon (SSSD) Memory Leak in PAC Plugin Lets Remote Authenticated Users Consume Excessive Memory Resources - SecurityTracker	af854a3a-2127-422b-91ae-364da2661108	www.securitytracker.com
#2803 (Memory leak / possible DoS with krb auth.) – SSSD	af854a3a-2127-422b-91ae-364da2661108	fedorahosted.org
Releases/Notes-1.13.1 – SSSD	af854a3a-2127-422b-91ae-364da2661108	fedorahosted.org
Infrastructure/Fedorahosted-retirement - Fedora Project Wiki	af854a3a-2127-422b-91ae-364da2661108	fedorahosted.org
[SECURITY] Fedora 22 Update: sssd-1.13.1-2.fc22	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	rhn.redhat.com
Oracle Linux Bulletin - October 2015	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
[SECURITY] Fedora 21 Update: sssd-1.12.5-4.fc21	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org
Bug 1267580 – CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin	af854a3a-2127-422b-91ae-364da2661108	bugzilla.redhat.com
Red Hat Customer Portal	MITRE	access.redhat.com
Red Hat Customer Portal	MITRE	access.redhat.com
CVE-2015-5292 - Red Hat Customer Portal	MITRE	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.