It was found that sssd’s sysdb_search_user_by_upn_res() function did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a given user, an authenticated attacker could use this flaw to retrieve it.
It is possible to disable manually credential caching :
However, tools such as realmd & ipa-client-install might enable credential caching, and should be used with care.