SSSD: Command Injection — GLSA 202407-05

A vulnerability has been discovered in SSSD, which can lead to arbitrary code execution.

Affected packages

sys-auth/sssd on all architectures
Affected versions < 2.5.2-r1
Unaffected versions >= 2.5.2-r1


SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources.


A vulnerability has been discovered in SSSD. Please review the CVE identifier referenced below for details.


A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access.


There is no known workaround at this time.


All SSSD users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-auth/sssd-2.5.2-r1"


Release date
July 01, 2024

Latest revision
July 01, 2024: 1


local and remote

Bugzilla entries