CVE-2021-3621

A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1975142 Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html Third Party Advisory
https://sssd.io/release-notes/sssd-2.6.0.html Release Notes Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:fedoraproject:sssd:2.6.0:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

History

04 Mar 2024, 22:58

Type Values Removed Values Added
CPE cpe:2.3:a:sssd:sssd:2.6.0:*:*:*:*:*:*:* cpe:2.3:a:fedoraproject:sssd:2.6.0:*:*:*:*:*:*:*
First Time Fedoraproject sssd
References () https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html - () https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html - Third Party Advisory

29 May 2023, 17:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html -

24 Oct 2022, 16:38

Type Values Removed Values Added
CWE CWE-77 CWE-78

07 Jan 2022, 16:18

Type Values Removed Values Added
CPE cpe:2.3:a:sssd:sssd:2.6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
References (MISC) https://sssd.io/release-notes/sssd-2.6.0.html - (MISC) https://sssd.io/release-notes/sssd-2.6.0.html - Release Notes, Third Party Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1975142 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1975142 - Issue Tracking, Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 9.3
v3 : 8.8
First Time Fedoraproject
Sssd
Redhat enterprise Linux Server Tus
Redhat enterprise Linux Eus
Redhat virtualization
Redhat enterprise Linux Server Aus
Fedoraproject fedora
Redhat enterprise Linux
Redhat virtualization Host
Sssd sssd
Redhat

23 Dec 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-12-23 21:15

Updated : 2024-03-04 22:58


NVD link : CVE-2021-3621

Mitre link : CVE-2021-3621

CVE.ORG link : CVE-2021-3621


JSON object : View

Products Affected

redhat

  • virtualization
  • virtualization_host
  • enterprise_linux_server_tus
  • enterprise_linux_server_aus
  • enterprise_linux
  • enterprise_linux_eus

fedoraproject

  • sssd
  • fedora
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')