sssd, versions 1.13.0 to before 2.0.0, did not properly restrict access to the infopipe according to the “allowed_uids” configuration parameter. Sensitive information could be inadvertently disclosed to local attackers if it was stored in the user directory.
This vulnerability is only exposed if the infopipe service is enabled (enabled by default in Red Hat Enterprise Linux 7, disabled by default in Red Hat Enterprise Linux 6), and [ifp].allowed_uids
is relied upon to protect sensitive information in the user directory.