CVE-2015-5292

Summary

CVE	CVE-2015-5292
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2015-10-29 16:59:00 UTC
Updated	2023-02-13 00:53:00 UTC
Description	Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication.

Risk And Classification

Problem Types: CWE-399

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Fedoraproject	Sssd	1.10.0	All	All	All
Application	Fedoraproject	Sssd	1.10.1	All	All	All
Application	Fedoraproject	Sssd	1.11.0	All	All	All
Application	Fedoraproject	Sssd	1.11.1	All	All	All
Application	Fedoraproject	Sssd	1.11.2	All	All	All
Application	Fedoraproject	Sssd	1.11.3	All	All	All
Application	Fedoraproject	Sssd	1.11.4	All	All	All
Application	Fedoraproject	Sssd	1.11.5	All	All	All
Application	Fedoraproject	Sssd	1.11.6	All	All	All
Application	Fedoraproject	Sssd	1.11.7	All	All	All
Application	Fedoraproject	Sssd	1.12.0	All	All	All
Application	Fedoraproject	Sssd	1.12.1	All	All	All
Application	Fedoraproject	Sssd	1.12.2	All	All	All
Application	Fedoraproject	Sssd	1.12.3	All	All	All
Application	Fedoraproject	Sssd	1.12.4	All	All	All
Application	Fedoraproject	Sssd	1.12.5	All	All	All
Application	Fedoraproject	Sssd	1.13.0	All	All	All
Application	Fedoraproject	Sssd	1.10.0	All	All	All
Application	Fedoraproject	Sssd	1.10.1	All	All	All
Application	Fedoraproject	Sssd	1.11.0	All	All	All
Application	Fedoraproject	Sssd	1.11.1	All	All	All
Application	Fedoraproject	Sssd	1.11.2	All	All	All
Application	Fedoraproject	Sssd	1.11.3	All	All	All
Application	Fedoraproject	Sssd	1.11.4	All	All	All
Application	Fedoraproject	Sssd	1.11.5	All	All	All
Application	Fedoraproject	Sssd	1.11.6	All	All	All
Application	Fedoraproject	Sssd	1.11.7	All	All	All
Application	Fedoraproject	Sssd	1.12.0	All	All	All
Application	Fedoraproject	Sssd	1.12.1	All	All	All
Application	Fedoraproject	Sssd	1.12.2	All	All	All
Application	Fedoraproject	Sssd	1.12.3	All	All	All
Application	Fedoraproject	Sssd	1.12.4	All	All	All
Application	Fedoraproject	Sssd	1.12.5	All	All	All
Application	Fedoraproject	Sssd	1.13.0	All	All	All

References

Reference	Source	Link	Tags
Bug 1267580 – CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin	CONFIRM	bugzilla.redhat.com
#2803 (Memory leak / possible DoS with krb auth.) – SSSD	CONFIRM	fedorahosted.org
Red Hat Customer Portal	MISC	access.redhat.com
Red Hat Customer Portal	MISC	access.redhat.com
permalink.gmane.org \| 522: Connection timed out	MLIST	permalink.gmane.org	Vendor Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com
[SECURITY] Fedora 21 Update: sssd-1.12.5-4.fc21	FEDORA	lists.fedoraproject.org
SSSD 'sss_client/sssd_pac.c' Denial of Service Vulnerability	BID	www.securityfocus.com
CVE-2015-5292 - Red Hat Customer Portal	MISC	access.redhat.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Oracle Linux Bulletin - October 2015	CONFIRM	www.oracle.com
[SECURITY] Fedora 23 Update: sssd-1.13.1-2.fc23	FEDORA	lists.fedoraproject.org
Infrastructure/Fedorahosted-retirement - Fedora Project Wiki	CONFIRM	fedorahosted.org
System Security Services Daemon (SSSD) Memory Leak in PAC Plugin Lets Remote Authenticated Users Consume Excessive Memory Resources - SecurityTracker	SECTRACK	www.securitytracker.com
[SECURITY] Fedora 22 Update: sssd-1.13.1-2.fc22	FEDORA	lists.fedoraproject.org
Releases/Notes-1.13.1 – SSSD	CONFIRM	fedorahosted.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.