Vulnerability Details : CVE-2022-4254
Potential exploit
sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters
Products affected by CVE-2022-4254
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
- Redhat » Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions » Version: 8.1cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
- Redhat » Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions » Version: 8.2cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:sssd:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-4254
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-4254
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-03-27 |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-4254
-
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- secalert@redhat.com (Primary)
References for CVE-2022-4254
-
https://bugzilla.redhat.com/show_bug.cgi?id=2149894
2149894 – (CVE-2022-4254) CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filtersExploit;Issue Tracking;Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html
[SECURITY] [DLA 3436-1] sssd security update
-
https://github.com/SSSD/sssd/issues/5135
Certificate attributes are not sanitized prior to ldap search · Issue #5135 · SSSD/sssd · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://github.com/SSSD/sssd/commit/a2b9a84460429181f2a4fa7e2bb5ab49fd561274
certmap: sanitize LDAP search filter · SSSD/sssd@a2b9a84 · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2022-4254
CVE-2022-4254- Red Hat Customer PortalThird Party Advisory
Jump to