Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| sun | sunos | 5.4 |
| process_software | multinet | 3.4 |
| sun | sunos | 5.3 |
| mit | kerberos | 4.0 |
| process_software | multinet | 3.5 |
| mit | kerberos_5 | - |
The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| transarc | afs | * |
| cde | cde | * |
| digital | unix | * |
| mit | kerberos_5 | - |
Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.5.2 |
Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | v |
Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygnus | cygnus_network_security | 4.0 |
| cygnus | kerbnet | 5.0 |
| mit | kerberos | 4.0 |
| redhat | linux | 6.2 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.0 |
Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygnus | cygnus_network_security | 4.0 |
| cygnus | kerbnet | 5.0 |
| mit | kerberos | 4.0 |
| redhat | linux | 6.2 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.0 |
Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygnus | cygnus_network_security | 4.0 |
| cygnus | kerbnet | 5.0 |
| mit | kerberos | 4.0 |
| redhat | linux | 6.2 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.0 |
Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygnus | cygnus_network_security | 4.0 |
| cygnus | kerbnet | 5.0 |
| mit | kerberos | 4.0 |
| redhat | linux | 6.2 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.0 |
GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.1 |
| mit | kerberos_5 | 1.1.1 |
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | * |
| mit | kerberos_5 | * |
| mit | kerberos_5 | 1.1 |
| mit | kerberos | 4.0 |
| kerbnet_project | kerbnet | - |
| mit | kerberos_5 | 1.1.1 |
| cygnus_network_security_project | cygnus_network_security | - |
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | * |
| mit | kerberos_5 | * |
| mit | kerberos_5 | 1.1 |
| mit | kerberos | 4.0 |
| kerbnet_project | kerbnet | - |
| mit | kerberos_5 | 1.1.1 |
| cygnus_network_security_project | cygnus_network_security | - |
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | * |
| mit | kerberos_5 | * |
| mit | kerberos_5 | 1.1 |
| mit | kerberos | 4.0 |
| kerbnet_project | kerbnet | - |
| mit | kerberos_5 | 1.1.1 |
| cygnus_network_security_project | cygnus_network_security | - |
Kerberos 4 KDC program does not properly check for null termination of AUTH_MSG_KDC_REQUEST requests, which allows remote attackers to cause a denial of service via a malformed request.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygnus | cygnus_network_security | 4.0 |
| mit | kerberos_5 | 1.1 |
| cygnus | kerbnet | 5.0 |
| mit | kerberos | 4.0 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.0 |
Kerberos 4 KDC program improperly frees memory twice (aka "double-free"), which allows remote attackers to cause a denial of service.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| cygnus | cygnus_network_security | 4.0 |
| mit | kerberos_5 | 1.1 |
| cygnus | kerbnet | 5.0 |
| mit | kerberos | 4.0 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.0 |
Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netbsd | netbsd | 1.3.2 |
| freebsd | freebsd | 3.1 |
| sgi | irix | 6.5.4 |
| freebsd | freebsd | 2.2 |
| freebsd | freebsd | 4.1 |
| netbsd | netbsd | 1.4 |
| openbsd | openbsd | 2.6 |
| netbsd | netbsd | 1.3.3 |
| sgi | irix | 6.5.10 |
| netbsd | netbsd | 1.2.1 |
| netbsd | netbsd | 1.5 |
| freebsd | freebsd | 2.2.2 |
| mit | kerberos_5 | 1.1.1 |
| freebsd | freebsd | 3.0 |
| freebsd | freebsd | 2.2.3 |
| freebsd | freebsd | 2.2.8 |
| sgi | irix | 6.5.3 |
| mit | kerberos_5 | 1.2.1 |
| netbsd | netbsd | 1.4.2 |
| mit | kerberos_5 | 1.2.2 |
| sgi | irix | 6.5.5 |
| freebsd | freebsd | 2.2.5 |
| freebsd | freebsd | 3.5.1 |
| freebsd | freebsd | 4.0 |
| netbsd | netbsd | 1.4.3 |
| freebsd | freebsd | 3.5 |
| openbsd | openbsd | 2.5 |
| freebsd | freebsd | 3.4 |
| netbsd | netbsd | 1.3 |
| openbsd | openbsd | 2.3 |
| freebsd | freebsd | 3.2 |
| freebsd | freebsd | 4.2 |
| freebsd | freebsd | 3.3 |
| freebsd | freebsd | 4.1.1 |
| sgi | irix | 6.5.1 |
| netbsd | netbsd | 1.4.1 |
| openbsd | openbsd | 2.8 |
| freebsd | freebsd | 2.2.4 |
| sgi | irix | 6.5.7 |
| sgi | irix | 6.5.3m |
| mit | kerberos_5 | 1.2 |
| sgi | irix | 6.5.3f |
| freebsd | freebsd | 2.2.6 |
| sgi | irix | 6.1 |
| sgi | irix | 6.5.2m |
| sgi | irix | 6.5.6 |
| sgi | irix | 6.5.11 |
| openbsd | openbsd | 2.7 |
| sgi | irix | 6.5.8 |
| openbsd | openbsd | 2.4 |
| netbsd | netbsd | 1.3.1 |
Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | 4 |
| mit | kerberos_5 | 1.5.2 |
Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netbsd | netbsd | 1.3.2 |
| freebsd | freebsd | 2.1.0 |
| sun | sunos | 5.1 |
| freebsd | freebsd | 3.1 |
| freebsd | freebsd | 2.2 |
| freebsd | freebsd | 4.1 |
| netkit | linux_netkit | 0.10 |
| sun | sunos | 5.8 |
| sun | sunos | 5.4 |
| netbsd | netbsd | 1.4 |
| openbsd | openbsd | 2.6 |
| netbsd | netbsd | 1.3.3 |
| netbsd | netbsd | 1.2.1 |
| netbsd | netbsd | 1.5 |
| sun | solaris | 2.6 |
| freebsd | freebsd | 2.2.2 |
| mit | kerberos_5 | 1.1.1 |
| freebsd | freebsd | 2.1.6 |
| freebsd | freebsd | 2.2.1 |
| freebsd | freebsd | 3.0 |
| freebsd | freebsd | 2.2.3 |
| freebsd | freebsd | 2.0.1 |
| sun | sunos | 5.5.1 |
| freebsd | freebsd | 2.2.8 |
| sun | sunos | 5.3 |
| mit | kerberos | 1.0 |
| mit | kerberos_5 | 1.2.1 |
| netbsd | netbsd | 1.4.2 |
| ibm | aix | 4.3.3 |
| netbsd | netbsd | 1.5.1 |
| mit | kerberos_5 | 1.2.2 |
| sun | sunos | 5.2 |
| freebsd | freebsd | 2.1.7.1 |
| openbsd | openbsd | 2.2 |
| freebsd | freebsd | 2.2.5 |
| netkit | linux_netkit | 0.12 |
| freebsd | freebsd | 3.5.1 |
| freebsd | freebsd | 4.0 |
| netbsd | netbsd | 1.4.3 |
| freebsd | freebsd | 2.1.7 |
| freebsd | freebsd | 3.5 |
| openbsd | openbsd | 2.5 |
| freebsd | freebsd | 3.4 |
| freebsd | freebsd | 4.3 |
| netbsd | netbsd | 1.3 |
| openbsd | openbsd | 2.3 |
| netkit | linux_netkit | 0.11 |
| freebsd | freebsd | 3.2 |
| freebsd | freebsd | 4.2 |
| freebsd | freebsd | 3.3 |
| netbsd | netbsd | 1.2 |
| freebsd | freebsd | 4.1.1 |
| ibm | aix | 4.3 |
| netbsd | netbsd | 1.4.1 |
| openbsd | openbsd | 2.8 |
| freebsd | freebsd | 2.1.5 |
| freebsd | freebsd | 2.2.4 |
| ibm | aix | 4.3.1 |
| ibm | aix | 5.1 |
| sun | sunos | 5.7 |
| ibm | aix | 4.3.2 |
| freebsd | freebsd | 2.1.6.1 |
| mit | kerberos_5 | 1.2 |
| sgi | irix | 6.5 |
| freebsd | freebsd | 2.2.6 |
| mit | kerberos_5 | 1.1 |
| freebsd | freebsd | 2.0.5 |
| openbsd | openbsd | 2.0 |
| freebsd | freebsd | 2.2.7 |
| sun | sunos | 5.5 |
| sun | sunos | 5.0 |
| debian | debian_linux | 2.2 |
| freebsd | freebsd | 2.1 |
| openbsd | openbsd | 2.7 |
| netbsd | netbsd | 1.0 |
| freebsd | freebsd | 2.0 |
| netbsd | netbsd | 1.1 |
| openbsd | openbsd | 2.4 |
| netbsd | netbsd | 1.3.1 |
| openbsd | openbsd | 2.1 |
Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via base-64 encoded data, which is not properly handled when the radix_encode function processes file glob output from the ftpglob function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.2.1 |
Buffer overflow in pks PGP public key web server before 0.9.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long search argument to the lookup capability.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | pgp_public_key_server | 0.9.4 |
| mit | pgp_public_key_server | 0.9.2 |
The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| kth | kth_kerberos_5 | * |
| mit | kerberos_5 | * |
| kth | kth_kerberos_4 | * |
| debian | debian_linux | 3.0 |
cgiemail allows remote attackers to use cgiemail as a spam proxy via CRLF injection of encoded newline (%0a) characters in parameters such as "required-subject," which can be used to modify the CC, BCC, and other header fields in the generated email message.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | cgiemail | 1.6 |
Buffer overflow in cgicso.c for cgiemail 1.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long query parameter.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | cgiemail | 1.6 |
Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| hp | hp-ux | 10.20 |
| cray | unicos | 9.2 |
| openbsd | openbsd | 2.9 |
| mit | kerberos_5 | 1.2.5 |
| sgi | irix | 6.5.4 |
| freebsd | freebsd | 4.1 |
| sgi | irix | 6.5.11m |
| sgi | irix | 6.5.11f |
| sgi | irix | 6.5.2f |
| openafs | openafs | 1.2.2a |
| sgi | irix | 6.5.8f |
| sgi | irix | 6.5.6m |
| sgi | irix | 6.5.6f |
| hp | hp-ux | 11.20 |
| gnu | glibc | 2.1.3 |
| openafs | openafs | 1.0.2 |
| sgi | irix | 6.5.5f |
| cray | unicos | 9.2.4 |
| openbsd | openbsd | 3.2 |
| openafs | openafs | 1.0.3 |
| sgi | irix | 6.5.12m |
| gnu | glibc | 2.3.2 |
| sgi | irix | 6.5.12f |
| sgi | irix | 6.5.13f |
| sun | sunos | - |
| sgi | irix | 6.5.3 |
| cray | unicos | 6.0e |
| sgi | irix | 6.5.10m |
| sgi | irix | 6.5.9f |
| openafs | openafs | 1.2.6 |
| ibm | aix | 5.2 |
| openafs | openafs | 1.2.4 |
| openbsd | openbsd | 2.2 |
| hp | hp-ux | 10.24 |
| freebsd | freebsd | 4.0 |
| sgi | irix | 6.5.14f |
| cray | unicos | 6.1 |
| freebsd | freebsd | 4.3 |
| sgi | irix | 6.5.18f |
| sgi | irix | 6.5.15 |
| sgi | irix | 6.5.18 |
| sgi | irix | 6.5.18m |
| cray | unicos | 6.0 |
| gnu | glibc | 2.1.1 |
| openafs | openafs | 1.2.2 |
| openafs | openafs | 1.1.1a |
| freebsd | freebsd | 4.2 |
| openafs | openafs | 1.3.2 |
| gnu | glibc | 2.2.5 |
| sgi | irix | 6.5.7f |
| gnu | glibc | 2.1.2 |
| openbsd | openbsd | 2.8 |
| sgi | irix | 6.5.4f |
| gnu | glibc | 2.1 |
| sgi | irix | 6.5.5m |
| cray | unicos | 8.3 |
| openafs | openafs | 1.3 |
| sgi | irix | 6.5.7 |
| openafs | openafs | 1.0 |
| openafs | openafs | 1.2.3 |
| sgi | irix | 6.5 |
| sgi | irix | 6.5.3f |
| sun | solaris | 9.0 |
| sgi | irix | 6.5.13m |
| gnu | glibc | 2.2.3 |
| sgi | irix | 6.5.2m |
| gnu | glibc | 2.3 |
| cray | unicos | 9.0 |
| sgi | irix | 6.5.14 |
| openafs | openafs | 1.1.1 |
| openafs | openafs | 1.2.5 |
| mit | kerberos_5 | 1.2.4 |
| sgi | irix | 6.5.8m |
| openbsd | openbsd | 2.7 |
| sgi | irix | 6.5.8 |
| hp | hp-ux_series_700 | 10.20 |
| sgi | irix | 6.5.9 |
| freebsd | freebsd | 4.6 |
| openafs | openafs | 1.1 |
| openafs | openafs | 1.0.4 |
| openbsd | openbsd | 2.1 |
| freebsd | freebsd | 5.0 |
| sgi | irix | 6.5.7m |
| cray | unicos | 7.0 |
| openafs | openafs | 1.2 |
| openafs | openafs | 1.2.1 |
| sgi | irix | 6.5.13 |
| hp | hp-ux_series_800 | 10.20 |
| sun | solaris | 8.0 |
| hp | hp-ux | 11.22 |
| sun | sunos | 5.8 |
| sgi | irix | 6.5.12 |
| openbsd | openbsd | 2.6 |
| sgi | irix | 6.5.10 |
| sgi | irix | 6.5.15f |
| sun | solaris | 2.6 |
| hp | hp-ux | 11.11 |
| freebsd | freebsd | 4.5 |
| gnu | glibc | 2.2.2 |
| sgi | irix | 6.5.20 |
| openafs | openafs | 1.3.1 |
| sun | sunos | 5.5.1 |
| sgi | irix | 6.5.4m |
| gnu | glibc | 2.2 |
| openafs | openafs | 1.0.1 |
| mit | kerberos_5 | 1.2.1 |
| sgi | irix | 6.5.16m |
| sun | solaris | 7.0 |
| hp | hp-ux | 11.00 |
| openbsd | openbsd | 3.1 |
| ibm | aix | 4.3.3 |
| openbsd | openbsd | 3.0 |
| gnu | glibc | 2.3.1 |
| mit | kerberos_5 | 1.2.2 |
| openafs | openafs | 1.2.2b |
| sgi | irix | 6.5.5 |
| cray | unicos | 9.0.2.5 |
| sgi | irix | 6.5.14m |
| gnu | glibc | 2.2.4 |
| sgi | irix | 6.5.2 |
| openbsd | openbsd | 2.5 |
| sgi | irix | 6.5.9m |
| hp | hp-ux | 11.04 |
| freebsd | freebsd | 4.7 |
| openbsd | openbsd | 2.3 |
| sgi | irix | 6.5.16f |
| mit | kerberos_5 | 1.2.7 |
| sgi | irix | 6.5.16 |
| sun | solaris | 2.5.1 |
| sgi | irix | 6.5.15m |
| freebsd | freebsd | 4.1.1 |
| sgi | irix | 6.5.1 |
| ibm | aix | 5.1 |
| sgi | irix | 6.5.17f |
| sgi | irix | 6.5.10f |
| sgi | irix | 6.5.17m |
| sun | sunos | 5.7 |
| sgi | irix | 6.5.3m |
| sgi | irix | 6.5.19 |
| mit | kerberos_5 | 1.2 |
| mit | kerberos_5 | 1.2.6 |
| openbsd | openbsd | 2.0 |
| freebsd | freebsd | 4.6.2 |
| sgi | irix | 6.5.6 |
| openafs | openafs | 1.0.4a |
| sgi | irix | 6.5.17 |
| sgi | irix | 6.5.11 |
| gnu | glibc | 2.2.1 |
| mit | kerberos_5 | 1.2.3 |
| openbsd | openbsd | 2.4 |
| freebsd | freebsd | 4.4 |
| cray | unicos | 8.0 |
Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | linux | 7.2 |
| mandrakesoft | mandrake_linux | 8.2 |
| mandrakesoft | mandrake_linux | 8.1 |
| redhat | linux | 7.1 |
| mandrakesoft | mandrake_multi_network_firewall | 8.2 |
| redhat | linux | 8.0 |
| mit | kerberos_ftp_client | * |
| redhat | linux | 6.2 |
| redhat | linux | 7.3 |
| mandrakesoft | mandrake_linux | 9.0 |
| redhat | linux | 7.0 |
MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| sun | enterprise_authentication_mechanism | 1.0 |
| sun | sunos | 5.8 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| sun | solaris | 9.0 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.2.1 |
| sun | solaris | 8.0 |
Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.1 |
Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.2.1 |
The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun").
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.2 |
| mit | kerberos_5 | 1.0.6 |
| mit | kerberos_5 | 1.1 |
| mit | kerberos_5 | 1.2.6 |
| mit | kerberos_5 | 1.2.5 |
| mit | kerberos | 1.0 |
| mit | kerberos_5 | 1.2.1 |
| mit | kerberos_5 | 1.2.7 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.3 |
| mit | kerberos | 1.2.2.beta1 |
The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.2 |
| mit | kerberos_5 | 1.0.6 |
| mit | kerberos_5 | 1.1 |
| mit | kerberos_5 | 1.2.6 |
| mit | kerberos_5 | 1.2.5 |
| mit | kerberos | 1.0 |
| mit | kerberos_5 | 1.2.1 |
| mit | kerberos_5 | 1.2.7 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.3 |
| mit | kerberos | 1.2.2.beta1 |
Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | 4 |
Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | 4 |
Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| sun | seam | 1.0.2 |
| mit | kerberos_5 | 1.0.6 |
| sgi | propack | 2.4 |
| mit | kerberos_5 | 1.2.5 |
| mit | kerberos_5 | 1.3.3 |
| sgi | propack | 3.0 |
| sun | solaris | 8.0 |
| mit | kerberos_5 | 1.2.7 |
| sun | sunos | 5.8 |
| tinysofa | tinysofa_enterprise_server | 1.0_u1 |
| mit | kerberos | 1.0.8 |
| sun | seam | 1.0 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.2 |
| sun | solaris | 9.0 |
| mit | kerberos_5 | 1.1 |
| mit | kerberos_5 | 1.2.6 |
| mit | kerberos | 1.0 |
| mit | kerberos_5 | 1.2.1 |
| tinysofa | tinysofa_enterprise_server | 1.0 |
| mit | kerberos_5 | 1.0 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| sun | seam | 1.0.1 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.3 |
| mit | kerberos | 1.2.2.beta1 |
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| redhat | enterprise_linux_desktop | 3.0 |
| debian | debian_linux | 3.0 |
| redhat | enterprise_linux_workstation | 3.0 |
| redhat | enterprise_linux_server | 3.0 |
Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| redhat | enterprise_linux_desktop | 3.0 |
| debian | debian_linux | 3.0 |
| redhat | enterprise_linux_workstation | 3.0 |
| redhat | enterprise_linux_server | 3.0 |
The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.3.2 |
| mit | kerberos_5 | 1.2.6 |
| mit | kerberos_5 | 1.2.5 |
| mit | kerberos_5 | 1.3.3 |
| mit | kerberos_5 | 1.2.7 |
| mit | kerberos_5 | 1.3.4 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.3.1 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.2.8 |
| mit | kerberos_5 | 1.3 |
Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openpkg | openpkg | 2.1 |
| mit | kerberos_5 | * |
| debian | debian_linux | 3.0 |
| openpkg | openpkg | 2.0 |
The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.3.4 |
The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.3.4 |
| sun | sunos | 5.9 |
| microsoft | telnet_client | 5.1.2600.2180 |
MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.3.4 |
| mit | kerberos_5 | 1.4 |
| mit | kerberos_5 | 1.3.6 |
| mit | kerberos_5 | 1.3.1 |
| mit | kerberos_5 | 1.3.2 |
| mit | kerberos_5 | 1.3.3 |
| mit | kerberos_5 | 1.4.1 |
| mit | kerberos_5 | 1.3.5 |
| mit | kerberos_5 | 1.3 |
Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.3.4 |
| mit | kerberos_5 | 1.4 |
| mit | kerberos_5 | 1.3.6 |
| mit | kerberos_5 | 1.3.1 |
| mit | kerberos_5 | 1.3.2 |
| mit | kerberos_5 | 1.3.3 |
| mit | kerberos_5 | 1.4.1 |
| mit | kerberos_5 | 1.3.5 |
| mit | kerberos_5 | 1.3 |
Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x_server | * |
| apple | mac_os_x | * |
| mit | kerberos_5 | * |
| debian | debian_linux | 3.0 |
| debian | debian_linux | 3.1 |
The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-824,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.4.3 |
| canonical | ubuntu_linux | 6.10 |
| mit | kerberos_5 | 1.4.2 |
| mit | kerberos_5 | 1.4.4 |
| mit | kerberos_5 | 1.4 |
| mit | kerberos_5 | 1.5 |
| mit | kerberos_5 | 1.4.1 |
| canonical | ubuntu_linux | 6.06 |
| mit | kerberos_5 | 1.5.1 |
The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-824,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 6.10 |
| mit | kerberos_5 | * |
| canonical | ubuntu_linux | 6.06 |
| canonical | ubuntu_linux | 7.04 |
| debian | debian_linux | 4.0 |
| debian | debian_linux | 3.1 |
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-824,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| fedoraproject | fedora | 7 |
The reply function in ftpd.c in the gssftp ftpd in MIT Kerberos 5 (krb5) does not initialize the length variable when auth_type has a certain value, which has unknown impact and remote authenticated attack vectors. NOTE: the original disclosure misidentifies the conditions under which the uninitialized variable is used. NOTE: the vendor disputes this issue, stating " The 'length' variable is only uninitialized if 'auth_type' is neither the 'KERBEROS_V4' nor 'GSSAPI'; this condition cannot occur in the unmodified source code.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | - |
KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-665,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 8 |
| canonical | ubuntu_linux | 6.10 |
| mit | kerberos_5 | * |
| fedoraproject | fedora | 7 |
| canonical | ubuntu_linux | 6.06 |
| canonical | ubuntu_linux | 7.04 |
| debian | debian_linux | 4.0 |
| debian | debian_linux | 3.1 |
| canonical | ubuntu_linux | 7.10 |
The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | linux_enterprise_server | 10 |
| apple | mac_os_x | * |
| mit | kerberos_5 | * |
| suse | linux_enterprise_desktop | 10 |
| opensuse | opensuse | 10.2 |
| opensuse | opensuse | 10.3 |
| fedoraproject | fedora | 7 |
| debian | debian_linux | 4.0 |
| canonical | ubuntu_linux | 7.10 |
| fedoraproject | fedora | 8 |
| canonical | ubuntu_linux | 6.10 |
| suse | linux_enterprise_software_development_kit | 10 |
| apple | mac_os_x_server | * |
| canonical | ubuntu_linux | 6.06 |
| canonical | ubuntu_linux | 7.04 |
| suse | linux | 10.1 |
| debian | debian_linux | 3.1 |
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-824,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| fedoraproject | fedora | 9 |
| mit | kerberos_5 | * |
| redhat | enterprise_linux | 4.0 |
| canonical | ubuntu_linux | 8.10 |
| redhat | enterprise_linux_desktop | 3.0 |
| fedoraproject | fedora | 10 |
| redhat | enterprise_linux_eus | 4.7 |
| redhat | enterprise_linux_server | 3.0 |
| canonical | ubuntu_linux | 7.10 |
| redhat | enterprise_linux_desktop | 4.0 |
| redhat | enterprise_linux_server | 2.0 |
| redhat | enterprise_linux_workstation | 3.0 |
| canonical | ubuntu_linux | 6.06 |
| redhat | enterprise_linux_server | 4.0 |
| redhat | enterprise_linux_workstation | 4.0 |
| canonical | ubuntu_linux | 8.04 |
| redhat | enterprise_linux_workstation | 2.0 |
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2, and 1.8 alpha, allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid (1) AS-REQ or (2) TGS-REQ request.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos | 5-1.8 |
The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in the SPNEGO GSS-API functionality in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2 and 1.8 before 1.8.1 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid packet that triggers incorrect preparation of an error token.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 11.0 |
| mit | kerberos_5 | * |
| canonical | ubuntu_linux | 9.04 |
| opensuse | opensuse | 11.1 |
| fedoraproject | fedora | 11 |
| suse | linux_enterprise | 11.0 |
| canonical | ubuntu_linux | 8.10 |
| canonical | ubuntu_linux | 8.04 |
Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | linux_enterprise_server | 10 |
| mit | kerberos_5 | * |
| fedoraproject | fedora | 13 |
| opensuse | opensuse | 11.3 |
| opensuse | opensuse | 11.0 |
| suse | linux_enterprise_server | 11 |
| opensuse | opensuse | 11.2 |
| oracle | database_server | - |
| canonical | ubuntu_linux | 9.04 |
| opensuse | opensuse | 11.1 |
| fedoraproject | fedora | 11 |
| debian | debian_linux | 6.0 |
| canonical | ubuntu_linux | 10.04 |
| canonical | ubuntu_linux | 9.10 |
| fedoraproject | fedora | 12 |
| debian | debian_linux | 5.0 |
| canonical | ubuntu_linux | 6.06 |
| canonical | ubuntu_linux | 8.04 |
The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointer dereference, as demonstrated by a request from a Windows Active Directory client.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.
CVSS 2.0
Severity: LOW
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.4 |
| mit | kerberos_5 | 1.5 |
| mit | kerberos_5 | 1.3.3 |
| mit | kerberos_5 | 1.6.1 |
| mit | kerberos | 5-1.5.4 |
| mit | kerberos_5 | 1.5.3 |
| mit | kerberos_5 | 1.4.4 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.4.1 |
| mit | kerberos_5 | 1.3.5 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.6.2 |
| mit | kerberos_5 | 1.4.3 |
| mit | kerberos_5 | 1.4.2 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.3.2 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.5.1 |
| mit | kerberos_5 | 1.3.4 |
| mit | kerberos_5 | 1.6 |
| mit | kerberos_5 | 1.3.6 |
| mit | kerberos_5 | 1.3.1 |
| mit | kerberos_5 | 1.3 |
| mit | kerberos_5 | 1.5.2 |
MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.
CVSS 2.0
Severity: LOW
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."
CVSS 2.0
Severity: LOW
Problem Type: CWE-16,CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.7 |
The do_standalone function in the MIT krb5 KDC database propagation daemon (kpropd) in Kerberos 1.7, 1.8, and 1.9, when running in standalone mode, does not properly handle when a worker child process "exits abnormally," which allows remote attackers to cause a denial of service (listening process termination, no new connections, and lack of updates in slave KVC) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.9 |
The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.6 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos | 5-1.6.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.6.1 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.6.2 |
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.6 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos | 5-1.6.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.6.1 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.6.2 |
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9 |
Double free vulnerability in the prepare_error_as function in do_as_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when the PKINIT feature is enabled, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an e_data field containing typed data.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9 |
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9 |
ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | linux_enterprise_server | 10 |
| fedoraproject | fedora | 14 |
| opensuse | opensuse | 11.4 |
| suse | linux_enterprise_desktop | 10 |
| opensuse | opensuse | 11.3 |
| suse | linux_enterprise_server | 11 |
| suse | linux_enterprise_software_development_kit | 10 |
| suse | linux_enterprise_software_development_kit | 11 |
| debian | debian_linux | 6.0 |
| fedoraproject | fedora | 15 |
| mit | krb5-appl | * |
| debian | debian_linux | 5.0 |
| suse | linux_enterprise_desktop | 11 |
The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.9 |
The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function. NOTE: the Berkeley DB vector is covered by CVE-2011-4151.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.8.4 |
The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.8.4 |
The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | mit_kerberos | 5.1.9.2 |
| mit | mit_kerberos | 5.1.9 |
| mit | mit_kerberos | 5.1.9.1 |
The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.8.4 |
Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | linux_enterprise_server | 10 |
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 11.4 |
| suse | linux_enterprise_desktop | 10 |
| opensuse | opensuse | 11.3 |
| suse | linux_enterprise_server | 11 |
| gnu | inetutils | * |
| suse | linux_enterprise_software_development_kit | 10 |
| suse | linux_enterprise_server | 9 |
| suse | linux_enterprise_software_development_kit | 11 |
| debian | debian_linux | 6.0 |
| fedoraproject | fedora | 15 |
| mit | krb5-appl | * |
| heimdal_project | heimdal | * |
| fedoraproject | fedora | 16 |
| freebsd | freebsd | * |
| debian | debian_linux | 5.0 |
| suse | linux_enterprise_desktop | 11 |
server/server_stubs.c in the kadmin protocol implementation in MIT Kerberos 5 (aka krb5) 1.10 before 1.10.1 does not properly restrict access to (1) SET_STRING and (2) GET_STRINGS operations, which might allow remote authenticated administrators to modify or read string attributes by leveraging the global list privilege.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.10.1 |
The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.9.3 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.8.6 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.8.4 |
| mit | kerberos_5 | 1.8.5 |
| mit | kerberos_5 | 1.9.2 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| mit | kerberos_5 | 1.11 |
| opensuse | opensuse | 11.4 |
The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 18 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_eus | 6.4 |
| redhat | enterprise_linux_server_aus | 6.4 |
| mit | kerberos_5 | * |
| redhat | enterprise_linux_desktop | 6.0 |
| opensuse | opensuse | 12.1 |
| opensuse | opensuse | 11.4 |
| opensuse | opensuse | 12.3 |
| fedoraproject | fedora | 17 |
| opensuse | opensuse | 12.2 |
do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.11 before 1.11.4, when a single-component realm name is used, allows remote authenticated users to cause a denial of service (daemon crash) via a TGS-REQ request that triggers an attempted cross-realm referral for a host-based service principal.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.11.1 |
The setup_server_realm function in main.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.7, when multiple realms are configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 13.1 |
| opensuse | opensuse | 11.4 |
| opensuse | opensuse | 12.3 |
| opensuse | opensuse | 12.2 |
An unspecified third-party database module for the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request, a different vulnerability than CVE-2013-1418.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | 5-1.10.7 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.10.4 |
| mit | kerberos | 5-1.10.6 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos | 5-1.10.5 |
| mit | kerberos_5 | 1.10.2 |
MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_tus | 7.7 |
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_tus | 7.6 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_eus | 7.3 |
| redhat | enterprise_linux_eus | 7.4 |
| redhat | enterprise_linux_eus | 7.5 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.7 |
| redhat | enterprise_linux_server_eus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| fedoraproject | fedora | 20 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_tus | 7.3 |
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9.4 |
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.12.1 |
| debian | debian_linux | 7.0 |
| mit | kerberos | 5-1.10.6 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.8.6 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.12 |
| mit | kerberos_5 | 1.9.2 |
| redhat | enterprise_linux_server | 7.0 |
| mit | kerberos | 5-1.10.7 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.10.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.9.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos | 5-1.10.5 |
| mit | kerberos_5 | 1.8.4 |
| mit | kerberos_5 | 1.8.5 |
| mit | kerberos | 5-1.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| mit | kerberos_5 | 1.10 |
| redhat | enterprise_linux_workstation | 7.0 |
| mit | kerberos_5 | 1.10.2 |
Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.12.1 |
| debian | debian_linux | 7.0 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.12 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.10.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.10.2 |
| mit | kerberos_5 | 1.11.4 |
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.12.1 |
| debian | debian_linux | 7.0 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.12 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.10.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.10.2 |
| mit | kerberos_5 | 1.11.4 |
Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9.4 |
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.8.6 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.6.1 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.12 |
| mit | kerberos_5 | 1.9.2 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.10.4 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.6.2 |
| mit | kerberos_5 | 1.9.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.8.4 |
| mit | kerberos_5 | 1.8.5 |
| mit | kerberos_5 | 1.6 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.10.2 |
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
CVSS 2.0
Severity: LOW
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.12.2 |
The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.12 |
The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.
CVSS 2.0
Severity: LOW
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux_server_tus | 6.6 |
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_server_aus | 6.6 |
| mit | kerberos_5 | * |
| fedoraproject | fedora | 22 |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_eus | 7.5 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_server | 7.0 |
| opensuse | opensuse | 13.2 |
| canonical | ubuntu_linux | 10.04 |
| opensuse | opensuse | 13.1 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_eus | 6.6 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_server_tus | 7.7 |
| oracle | solaris | 11.2 |
| redhat | enterprise_linux_desktop | 6.0 |
| canonical | ubuntu_linux | 14.10 |
| redhat | enterprise_linux_eus | 7.3 |
| redhat | enterprise_linux_eus | 7.4 |
| canonical | ubuntu_linux | 12.04 |
| redhat | enterprise_linux_eus | 7.6 |
| oracle | solaris | 10 |
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos | 5_1.13 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.12 |
MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9.4 |
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.13.1 |
| mit | kerberos_5 | 1.5 |
| mit | kerberos_5 | 1.2.5 |
| mit | kerberos_5 | 1.3.3 |
| mit | kerberos_5 | 1.8.6 |
| mit | kerberos_5 | 1.6.1 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.12 |
| mit | kerberos_5 | 1.5.3 |
| mit | kerberos_5 | 1.9.2 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.2.8 |
| mit | kerberos_5 | 1.6.2 |
| mit | kerberos_5 | 1.4.3 |
| mit | kerberos_5 | 1.9.3 |
| mit | kerberos_5 | 1.2.1 |
| mit | kerberos_5 | 1.3.4 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.6 |
| mit | kerberos_5 | 1.3.6 |
| mit | kerberos_5 | 1.3 |
| mit | kerberos_5 | 1.5.2 |
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.4 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.2.7 |
| mit | kerberos_5 | 1.4.4 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.10.4 |
| mit | kerberos_5 | 1.4.1 |
| mit | kerberos_5 | 1.3.5 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.4.2 |
| mit | kerberos_5 | 1.2 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.3.2 |
| mit | kerberos_5 | 1.1 |
| mit | kerberos_5 | 1.2.6 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.5.1 |
| mit | kerberos_5 | 1.8.4 |
| mit | kerberos_5 | 1.8.5 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.3.1 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.10.2 |
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.12 |
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.12 |
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.12 |
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.13.1 |
| mit | kerberos_5 | 1.12.3 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.12 |
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-763,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.04 |
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| suse | linux_enterprise_software_development_kit | 12 |
| debian | debian_linux | 8.0 |
| oracle | solaris | 11.3 |
| suse | linux_enterprise_server | 11 |
| opensuse | leap | 42.1 |
| suse | linux_enterprise_software_development_kit | 11 |
| canonical | ubuntu_linux | 12.04 |
| opensuse | opensuse | 13.2 |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 15.10 |
| debian | debian_linux | 9.0 |
| suse | linux_enterprise_server | 12 |
| suse | linux_enterprise_desktop | 11 |
| suse | linux_enterprise_desktop | 12 |
lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-18,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.04 |
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| suse | linux_enterprise_software_development_kit | 12 |
| debian | debian_linux | 8.0 |
| opensuse | leap | 42.1 |
| canonical | ubuntu_linux | 12.04 |
| opensuse | opensuse | 13.2 |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 15.10 |
| debian | debian_linux | 9.0 |
| suse | linux_enterprise_server | 12 |
| suse | linux_enterprise_desktop | 12 |
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.04 |
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| suse | linux_enterprise_software_development_kit | 12 |
| debian | debian_linux | 8.0 |
| oracle | solaris | 11.3 |
| opensuse | leap | 42.1 |
| canonical | ubuntu_linux | 12.04 |
| opensuse | opensuse | 13.2 |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 15.10 |
| debian | debian_linux | 9.0 |
| suse | linux_enterprise_server | 12 |
| suse | linux_enterprise_desktop | 12 |
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.14 |
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.6 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.7 |
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_server_tus | 7.2 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_eus | 7.5 |
| redhat | enterprise_linux_eus | 6.7 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server_tus | 7.3 |
| oracle | solaris | 11.3 |
| redhat | enterprise_linux_server | 7.0 |
| opensuse | opensuse | 13.2 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server_aus | 7.2 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| oracle | linux | 7 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_eus | 7.3 |
| redhat | enterprise_linux_eus | 7.4 |
| oracle | linux | 6 |
| opensuse | leap | 42.1 |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux_eus | 7.2 |
| oracle | solaris | 10 |
| redhat | enterprise_linux_workstation | 7.0 |
The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.12.4 |
| mit | kerberos_5 | 1.13.3 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.13.1 |
| mit | kerberos_5 | 1.14 |
| mit | kerberos_5 | 1.12.3 |
| mit | kerberos_5 | 1.13.2 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.12 |
| mit | kerberos_5 | 1.12.5 |
Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.7 |
| mit | kerberos_5 | * |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_server_tus | 7.2 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_eus | 7.5 |
| redhat | enterprise_linux_eus | 6.7 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_server | 7.0 |
| opensuse | opensuse | 13.2 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server_aus | 7.2 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| oracle | linux | 7 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_eus | 7.3 |
| redhat | enterprise_linux_eus | 7.4 |
| oracle | linux | 6 |
| opensuse | leap | 42.1 |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux_eus | 7.2 |
| redhat | enterprise_linux_workstation | 7.0 |
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9.4 |
| mit | kerberos_5 | 1.14.1 |
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.13.1 |
| mit | kerberos_5 | 1.5 |
| mit | kerberos_5 | 1.2.5 |
| mit | kerberos_5 | 1.3.3 |
| mit | kerberos_5 | 1.8.6 |
| mit | kerberos_5 | 1.6.1 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.12 |
| mit | kerberos_5 | 1.5.3 |
| mit | kerberos_5 | 1.9.2 |
| mit | kerberos_5 | 1.13.4 |
| mit | kerberos_5 | 1.14 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.1.1 |
| mit | kerberos_5 | 1.2.8 |
| mit | kerberos_5 | 1.6.2 |
| mit | kerberos_5 | 1.4.3 |
| mit | kerberos_5 | 1.9.3 |
| mit | kerberos_5 | 1.2.1 |
| mit | kerberos_5 | 1.0 |
| opensuse | leap | 42.1 |
| mit | kerberos_5 | 1.3.4 |
| mit | kerberos_5 | 1.2.2 |
| mit | kerberos_5 | 1.6 |
| mit | kerberos_5 | 1.3.6 |
| mit | kerberos_5 | 1.3 |
| mit | kerberos_5 | 1.5.2 |
| mit | kerberos_5 | 1.13.3 |
| mit | kerberos_5 | 1.0.6 |
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.4 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.2.7 |
| mit | kerberos_5 | 1.14.0 |
| mit | kerberos_5 | 1.4.4 |
| opensuse | opensuse | 13.2 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.10.4 |
| mit | kerberos_5 | 1.12.3 |
| mit | kerberos_5 | 1.4.1 |
| mit | kerberos_5 | 1.3.5 |
| mit | kerberos_5 | 1.13.2 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.4.2 |
| mit | kerberos_5 | 1.2 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.7.1 |
| mit | kerberos_5 | 1.3.2 |
| mit | kerberos_5 | 1.1 |
| mit | kerberos_5 | 1.2.6 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.5.1 |
| mit | kerberos_5 | 1.8.4 |
| mit | kerberos_5 | 1.8.5 |
| mit | kerberos_5 | 1.2.4 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.3.1 |
| mit | kerberos_5 | 1.2.3 |
| mit | kerberos_5 | 1.10.2 |
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.13.3 |
| mit | kerberos_5 | 1.14.1 |
| mit | kerberos_5 | 1.13.5 |
| mit | kerberos_5 | 1.13.6 |
| mit | kerberos_5 | 1.13.4 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.13.1 |
| mit | kerberos_5 | 1.14 |
| mit | kerberos_5 | 1.13.2 |
| mit | kerberos_5 | 1.14.2 |
In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | 1.9.4 |
| mit | kerberos_5 | 1.13.3 |
| mit | kerberos_5 | 1.14.1 |
| mit | kerberos_5 | 1.13.5 |
| mit | kerberos_5 | 1.8.3 |
| mit | kerberos_5 | 1.11.3 |
| mit | kerberos_5 | 1.12.1 |
| mit | kerberos_5 | 1.13 |
| mit | kerberos_5 | 1.13.1 |
| mit | kerberos_5 | 1.10.1 |
| mit | kerberos_5 | 1.8.6 |
| mit | kerberos_5 | 1.11.2 |
| mit | kerberos_5 | 1.10.3 |
| mit | kerberos_5 | 1.9 |
| mit | kerberos_5 | 1.14.5 |
| mit | kerberos_5 | 1.12 |
| fedoraproject | fedora | 26 |
| mit | kerberos_5 | 1.9.2 |
| mit | kerberos_5 | 1.11.5 |
| mit | kerberos_5 | 1.8.2 |
| mit | kerberos_5 | 1.14 |
| mit | kerberos_5 | 1.7 |
| mit | kerberos_5 | 1.10.4 |
| mit | kerberos_5 | 1.12.3 |
| mit | kerberos_5 | 1.15.1 |
| mit | kerberos_5 | 1.13.2 |
| mit | kerberos_5 | 1.8.1 |
| mit | kerberos_5 | 1.9.1 |
| mit | kerberos_5 | 1.14.3 |
| mit | kerberos_5 | 1.11.1 |
| mit | kerberos_5 | 1.11.4 |
| mit | kerberos_5 | 1.9.3 |
| mit | kerberos_5 | 1.11 |
| mit | kerberos_5 | 1.7.1 |
| fedoraproject | fedora | 25 |
| mit | kerberos_5 | 1.8 |
| mit | kerberos | 5-1.13.7 |
| mit | kerberos_5 | 1.12.2 |
| mit | kerberos_5 | 1.14.2 |
| mit | kerberos_5 | 1.8.4 |
| mit | kerberos_5 | 1.8.5 |
| mit | kerberos_5 | 1.13.6 |
| mit | kerberos_5 | 1.10 |
| mit | kerberos_5 | 1.14.4 |
| mit | kerberos_5 | 1.15 |
| mit | kerberos_5 | 1.10.2 |
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 26 |
| mit | kerberos_5 | 1.14.1 |
| mit | kerberos_5 | 1.14.4 |
| fedoraproject | fedora | 25 |
| mit | kerberos_5 | 1.14 |
| mit | kerberos_5 | 1.15.1 |
| mit | kerberos_5 | 1.14.3 |
| mit | kerberos_5 | 1.15 |
| mit | kerberos_5 | 1.14.2 |
| mit | kerberos_5 | 1.14.5 |
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,CWE-295,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server | 7.0 |
| mit | kerberos_5 | * |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.6 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | * |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 8.0 |
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | * |
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos | * |
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | 1.2 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 26 |
| redhat | enterprise_linux_server | 7.0 |
| mit | kerberos_5 | * |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| debian | debian_linux | 8.0 |
| fedoraproject | fedora | 27 |
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.8 | LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N | 1.2 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-90,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 26 |
| redhat | enterprise_linux_server | 7.0 |
| mit | kerberos_5 | * |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| debian | debian_linux | 8.0 |
| fedoraproject | fedora | 27 |
A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote unauthenticated user could use this flaw to crash the KDC.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-628,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 29 |
| fedoraproject | fedora | 30 |
| mit | kerberos_5 | * |
| fedoraproject | fedora | 31 |
An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | krb5-appl | * |
In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | krb5-appl | * |
MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented. NOTE: the scratch.mit.edu hosted service is not affected because of the lack of worker scripts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | scratch-vm | * |
A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | scratch-svg-renderer | 0.2.0 |
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-674,CWE-674,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| netapp | snapcenter | - |
| mit | kerberos_5 | * |
| oracle | communications_pricing_design_center | 12.0.0.3.0 |
| fedoraproject | fedora | 31 |
| oracle | mysql_server | * |
| netapp | cloud_backup | - |
| netapp | oncommand_insight | - |
| netapp | oncommand_workflow_automation | - |
| oracle | communications_offline_mediation_controller | 12.0.0.3.0 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| report@snyk.io | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | scratch-svg-renderer | 0.2.0 |
| mit | scratch-svg-renderer | 0.1.0 |
Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | universal_turing_machine | - |
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| debian | debian_linux | 10.0 |
| netapp | snapcenter | - |
| mit | kerberos_5 | * |
| oracle | mysql_server | * |
| netapp | oncommand_insight | - |
| netapp | oncommand_workflow_automation | - |
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 33 |
| oracle | communications_cloud_native_core_network_slice_selection_function | 22.1.0 |
| starwindsoftware | starwind_virtual_san | v8r13 |
telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| gnu | inetutils | * |
| debian | debian_linux | 10.0 |
| mit | kerberos_5 | * |
| netkit-telnet_project | netkit-telnet | * |
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| samba | samba | * |
| heimdal_project | heimdal | * |
| mit | kerberos_5 | 1.20 |
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| debian | debian_linux | 10.0 |
| mit | kerberos_5 | 1.21 |
| netapp | hci | - |
| mit | kerberos_5 | * |
| netapp | management_services_for_element_software | - |
| netapp | ontap_tools | - |
| netapp | clustered_data_ontap | 9.0 |
kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| netapp | h610s_firmware | - |
| netapp | h615c_firmware | - |
| netapp | ontap_select_deploy_administration_utility | - |
| netapp | cloud_volumes_ontap_mediator | - |
| netapp | ontap_9 | - |
| netapp | h610c_firmware | - |
| mit | kerberos_5 | 1.21.2 |
| netapp | management_services_for_element_software_and_netapp_hci | - |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| netapp | h610s_firmware | - |
| netapp | h615c_firmware | - |
| netapp | ontap_select_deploy_administration_utility | - |
| netapp | cloud_volumes_ontap_mediator | - |
| netapp | ontap_9 | - |
| netapp | h610c_firmware | - |
| mit | kerberos_5 | 1.21.2 |
| netapp | management_services_for_element_software_and_netapp_hci | - |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | active_iq_unified_manager | - |
| netapp | h610s_firmware | - |
| netapp | h615c_firmware | - |
| netapp | ontap_select_deploy_administration_utility | - |
| netapp | cloud_volumes_ontap_mediator | - |
| netapp | h610c_firmware | - |
| mit | kerberos_5 | 1.21.2 |
| netapp | management_services_for_element_software_and_netapp_hci | - |
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mit | kerberos_5 | * |
| debian | debian_linux | 12.0 |
| debian | debian_linux | 11.0 |