MidnightBSD

Advisories for mit

CVE-1999-0143 MEDIUM

Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
sun sunos 5.4
process_software multinet 3.4
sun sunos 5.3
mit kerberos 4.0
process_software multinet 3.5
mit kerberos_5 -
CVE-1999-0713 HIGH

The dtlogin program in Compaq Tru64 UNIX allows local users to gain root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
transarc afs *
cde cde *
digital unix *
mit kerberos_5 -
CVE-1999-1296 HIGH

Buffer overflow in Kerberos IV compatibility libraries as used in Kerberos V allows local users to gain root privileges via a long line in a kerberos configuration file, which can be specified via the KRB_CONF environmental variable.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.5.2
CVE-1999-1321 HIGH

Buffer overflow in ssh 1.2.26 client with Kerberos V enabled could allow remote attackers to cause a denial of service or execute arbitrary commands via a long DNS hostname that is not properly handled during TGT ticket passing.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos v
CVE-2000-0389 HIGH

Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cygnus cygnus_network_security 4.0
cygnus kerbnet 5.0
mit kerberos 4.0
redhat linux 6.2
mit kerberos_5 1.1.1
mit kerberos_5 1.0
CVE-2000-0390 HIGH

Buffer overflow in krb425_conv_principal function in Kerberos 5 allows remote attackers to gain root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cygnus cygnus_network_security 4.0
cygnus kerbnet 5.0
mit kerberos 4.0
redhat linux 6.2
mit kerberos_5 1.1.1
mit kerberos_5 1.0
CVE-2000-0391 HIGH

Buffer overflow in krshd in Kerberos 5 allows remote attackers to gain root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cygnus cygnus_network_security 4.0
cygnus kerbnet 5.0
mit kerberos 4.0
redhat linux 6.2
mit kerberos_5 1.1.1
mit kerberos_5 1.0
CVE-2000-0392 HIGH

Buffer overflow in ksu in Kerberos 5 allows local users to gain root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cygnus cygnus_network_security 4.0
cygnus kerbnet 5.0
mit kerberos 4.0
redhat linux 6.2
mit kerberos_5 1.1.1
mit kerberos_5 1.0
CVE-2000-0514 HIGH

GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.1
mit kerberos_5 1.1.1
CVE-2000-0546 MEDIUM

Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
mit kerberos *
mit kerberos_5 *
mit kerberos_5 1.1
mit kerberos 4.0
kerbnet_project kerbnet -
mit kerberos_5 1.1.1
cygnus_network_security_project cygnus_network_security -
CVE-2000-0547 MEDIUM

Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
mit kerberos *
mit kerberos_5 *
mit kerberos_5 1.1
mit kerberos 4.0
kerbnet_project kerbnet -
mit kerberos_5 1.1.1
cygnus_network_security_project cygnus_network_security -
CVE-2000-0548 MEDIUM

Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
mit kerberos *
mit kerberos_5 *
mit kerberos_5 1.1
mit kerberos 4.0
kerbnet_project kerbnet -
mit kerberos_5 1.1.1
cygnus_network_security_project cygnus_network_security -
CVE-2000-0549 MEDIUM

Kerberos 4 KDC program does not properly check for null termination of AUTH_MSG_KDC_REQUEST requests, which allows remote attackers to cause a denial of service via a malformed request.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cygnus cygnus_network_security 4.0
mit kerberos_5 1.1
cygnus kerbnet 5.0
mit kerberos 4.0
mit kerberos_5 1.1.1
mit kerberos_5 1.0
CVE-2000-0550 MEDIUM

Kerberos 4 KDC program improperly frees memory twice (aka "double-free"), which allows remote attackers to cause a denial of service.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
cygnus cygnus_network_security 4.0
mit kerberos_5 1.1
cygnus kerbnet 5.0
mit kerberos 4.0
mit kerberos_5 1.1.1
mit kerberos_5 1.0
CVE-2001-0247 HIGH

Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
netbsd netbsd 1.3.2
freebsd freebsd 3.1
sgi irix 6.5.4
freebsd freebsd 2.2
freebsd freebsd 4.1
netbsd netbsd 1.4
openbsd openbsd 2.6
netbsd netbsd 1.3.3
sgi irix 6.5.10
netbsd netbsd 1.2.1
netbsd netbsd 1.5
freebsd freebsd 2.2.2
mit kerberos_5 1.1.1
freebsd freebsd 3.0
freebsd freebsd 2.2.3
freebsd freebsd 2.2.8
sgi irix 6.5.3
mit kerberos_5 1.2.1
netbsd netbsd 1.4.2
mit kerberos_5 1.2.2
sgi irix 6.5.5
freebsd freebsd 2.2.5
freebsd freebsd 3.5.1
freebsd freebsd 4.0
netbsd netbsd 1.4.3
freebsd freebsd 3.5
openbsd openbsd 2.5
freebsd freebsd 3.4
netbsd netbsd 1.3
openbsd openbsd 2.3
freebsd freebsd 3.2
freebsd freebsd 4.2
freebsd freebsd 3.3
freebsd freebsd 4.1.1
sgi irix 6.5.1
netbsd netbsd 1.4.1
openbsd openbsd 2.8
freebsd freebsd 2.2.4
sgi irix 6.5.7
sgi irix 6.5.3m
mit kerberos_5 1.2
sgi irix 6.5.3f
freebsd freebsd 2.2.6
sgi irix 6.1
sgi irix 6.5.2m
sgi irix 6.5.6
sgi irix 6.5.11
openbsd openbsd 2.7
sgi irix 6.5.8
openbsd openbsd 2.4
netbsd netbsd 1.3.1
CVE-2001-0417 LOW

Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos 4
mit kerberos_5 1.5.2
CVE-2001-0554 HIGH

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
netbsd netbsd 1.3.2
freebsd freebsd 2.1.0
sun sunos 5.1
freebsd freebsd 3.1
freebsd freebsd 2.2
freebsd freebsd 4.1
netkit linux_netkit 0.10
sun sunos 5.8
sun sunos 5.4
netbsd netbsd 1.4
openbsd openbsd 2.6
netbsd netbsd 1.3.3
netbsd netbsd 1.2.1
netbsd netbsd 1.5
sun solaris 2.6
freebsd freebsd 2.2.2
mit kerberos_5 1.1.1
freebsd freebsd 2.1.6
freebsd freebsd 2.2.1
freebsd freebsd 3.0
freebsd freebsd 2.2.3
freebsd freebsd 2.0.1
sun sunos 5.5.1
freebsd freebsd 2.2.8
sun sunos 5.3
mit kerberos 1.0
mit kerberos_5 1.2.1
netbsd netbsd 1.4.2
ibm aix 4.3.3
netbsd netbsd 1.5.1
mit kerberos_5 1.2.2
sun sunos 5.2
freebsd freebsd 2.1.7.1
openbsd openbsd 2.2
freebsd freebsd 2.2.5
netkit linux_netkit 0.12
freebsd freebsd 3.5.1
freebsd freebsd 4.0
netbsd netbsd 1.4.3
freebsd freebsd 2.1.7
freebsd freebsd 3.5
openbsd openbsd 2.5
freebsd freebsd 3.4
freebsd freebsd 4.3
netbsd netbsd 1.3
openbsd openbsd 2.3
netkit linux_netkit 0.11
freebsd freebsd 3.2
freebsd freebsd 4.2
freebsd freebsd 3.3
netbsd netbsd 1.2
freebsd freebsd 4.1.1
ibm aix 4.3
netbsd netbsd 1.4.1
openbsd openbsd 2.8
freebsd freebsd 2.1.5
freebsd freebsd 2.2.4
ibm aix 4.3.1
ibm aix 5.1
sun sunos 5.7
ibm aix 4.3.2
freebsd freebsd 2.1.6.1
mit kerberos_5 1.2
sgi irix 6.5
freebsd freebsd 2.2.6
mit kerberos_5 1.1
freebsd freebsd 2.0.5
openbsd openbsd 2.0
freebsd freebsd 2.2.7
sun sunos 5.5
sun sunos 5.0
debian debian_linux 2.2
freebsd freebsd 2.1
openbsd openbsd 2.7
netbsd netbsd 1.0
freebsd freebsd 2.0
netbsd netbsd 1.1
openbsd openbsd 2.4
netbsd netbsd 1.3.1
openbsd openbsd 2.1
CVE-2001-1323 HIGH

Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via base-64 encoded data, which is not properly handled when the radix_encode function processes file glob output from the ftpglob function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
mit kerberos_5 *
CVE-2002-0036 MEDIUM

Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
mit kerberos_5 1.2.3
mit kerberos_5 1.2.1
CVE-2002-0900 HIGH

Buffer overflow in pks PGP public key web server before 0.9.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long search argument to the lookup capability.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit pgp_public_key_server 0.9.4
mit pgp_public_key_server 0.9.2
CVE-2002-1235 HIGH

The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
kth kth_kerberos_5 *
mit kerberos_5 *
kth kth_kerberos_4 *
debian debian_linux 3.0
CVE-2002-1575 MEDIUM

cgiemail allows remote attackers to use cgiemail as a spam proxy via CRLF injection of encoded newline (%0a) characters in parameters such as "required-subject," which can be used to modify the CC, BCC, and other header fields in the generated email message.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit cgiemail 1.6
CVE-2002-1652 HIGH

Buffer overflow in cgicso.c for cgiemail 1.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long query parameter.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit cgiemail 1.6
CVE-2003-0028 HIGH

Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
hp hp-ux 10.20
cray unicos 9.2
openbsd openbsd 2.9
mit kerberos_5 1.2.5
sgi irix 6.5.4
freebsd freebsd 4.1
sgi irix 6.5.11m
sgi irix 6.5.11f
sgi irix 6.5.2f
openafs openafs 1.2.2a
sgi irix 6.5.8f
sgi irix 6.5.6m
sgi irix 6.5.6f
hp hp-ux 11.20
gnu glibc 2.1.3
openafs openafs 1.0.2
sgi irix 6.5.5f
cray unicos 9.2.4
openbsd openbsd 3.2
openafs openafs 1.0.3
sgi irix 6.5.12m
gnu glibc 2.3.2
sgi irix 6.5.12f
sgi irix 6.5.13f
sun sunos -
sgi irix 6.5.3
cray unicos 6.0e
sgi irix 6.5.10m
sgi irix 6.5.9f
openafs openafs 1.2.6
ibm aix 5.2
openafs openafs 1.2.4
openbsd openbsd 2.2
hp hp-ux 10.24
freebsd freebsd 4.0
sgi irix 6.5.14f
cray unicos 6.1
freebsd freebsd 4.3
sgi irix 6.5.18f
sgi irix 6.5.15
sgi irix 6.5.18
sgi irix 6.5.18m
cray unicos 6.0
gnu glibc 2.1.1
openafs openafs 1.2.2
openafs openafs 1.1.1a
freebsd freebsd 4.2
openafs openafs 1.3.2
gnu glibc 2.2.5
sgi irix 6.5.7f
gnu glibc 2.1.2
openbsd openbsd 2.8
sgi irix 6.5.4f
gnu glibc 2.1
sgi irix 6.5.5m
cray unicos 8.3
openafs openafs 1.3
sgi irix 6.5.7
openafs openafs 1.0
openafs openafs 1.2.3
sgi irix 6.5
sgi irix 6.5.3f
sun solaris 9.0
sgi irix 6.5.13m
gnu glibc 2.2.3
sgi irix 6.5.2m
gnu glibc 2.3
cray unicos 9.0
sgi irix 6.5.14
openafs openafs 1.1.1
openafs openafs 1.2.5
mit kerberos_5 1.2.4
sgi irix 6.5.8m
openbsd openbsd 2.7
sgi irix 6.5.8
hp hp-ux_series_700 10.20
sgi irix 6.5.9
freebsd freebsd 4.6
openafs openafs 1.1
openafs openafs 1.0.4
openbsd openbsd 2.1
freebsd freebsd 5.0
sgi irix 6.5.7m
cray unicos 7.0
openafs openafs 1.2
openafs openafs 1.2.1
sgi irix 6.5.13
hp hp-ux_series_800 10.20
sun solaris 8.0
hp hp-ux 11.22
sun sunos 5.8
sgi irix 6.5.12
openbsd openbsd 2.6
sgi irix 6.5.10
sgi irix 6.5.15f
sun solaris 2.6
hp hp-ux 11.11
freebsd freebsd 4.5
gnu glibc 2.2.2
sgi irix 6.5.20
openafs openafs 1.3.1
sun sunos 5.5.1
sgi irix 6.5.4m
gnu glibc 2.2
openafs openafs 1.0.1
mit kerberos_5 1.2.1
sgi irix 6.5.16m
sun solaris 7.0
hp hp-ux 11.00
openbsd openbsd 3.1
ibm aix 4.3.3
openbsd openbsd 3.0
gnu glibc 2.3.1
mit kerberos_5 1.2.2
openafs openafs 1.2.2b
sgi irix 6.5.5
cray unicos 9.0.2.5
sgi irix 6.5.14m
gnu glibc 2.2.4
sgi irix 6.5.2
openbsd openbsd 2.5
sgi irix 6.5.9m
hp hp-ux 11.04
freebsd freebsd 4.7
openbsd openbsd 2.3
sgi irix 6.5.16f
mit kerberos_5 1.2.7
sgi irix 6.5.16
sun solaris 2.5.1
sgi irix 6.5.15m
freebsd freebsd 4.1.1
sgi irix 6.5.1
ibm aix 5.1
sgi irix 6.5.17f
sgi irix 6.5.10f
sgi irix 6.5.17m
sun sunos 5.7
sgi irix 6.5.3m
sgi irix 6.5.19
mit kerberos_5 1.2
mit kerberos_5 1.2.6
openbsd openbsd 2.0
freebsd freebsd 4.6.2
sgi irix 6.5.6
openafs openafs 1.0.4a
sgi irix 6.5.17
sgi irix 6.5.11
gnu glibc 2.2.1
mit kerberos_5 1.2.3
openbsd openbsd 2.4
freebsd freebsd 4.4
cray unicos 8.0
CVE-2003-0041 HIGH

Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
redhat linux 7.2
mandrakesoft mandrake_linux 8.2
mandrakesoft mandrake_linux 8.1
redhat linux 7.1
mandrakesoft mandrake_multi_network_firewall 8.2
redhat linux 8.0
mit kerberos_ftp_client *
redhat linux 6.2
redhat linux 7.3
mandrakesoft mandrake_linux 9.0
redhat linux 7.0
CVE-2003-0058 MEDIUM

MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
sun enterprise_authentication_mechanism 1.0
sun sunos 5.8
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
sun solaris 9.0
mit kerberos_5 1.2.3
mit kerberos_5 1.2.1
sun solaris 8.0
CVE-2003-0059 HIGH

Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.2.2
mit kerberos_5 1.2.1
CVE-2003-0060 HIGH

Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
mit kerberos_5 1.2.3
mit kerberos_5 1.2.1
CVE-2003-0072 MEDIUM

The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun").

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.2
mit kerberos_5 1.0.6
mit kerberos_5 1.1
mit kerberos_5 1.2.6
mit kerberos_5 1.2.5
mit kerberos 1.0
mit kerberos_5 1.2.1
mit kerberos_5 1.2.7
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
mit kerberos_5 1.2.3
mit kerberos_5 1.1.1
mit kerberos_5 1.3
mit kerberos 1.2.2.beta1
CVE-2003-0082 MEDIUM

The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.2
mit kerberos_5 1.0.6
mit kerberos_5 1.1
mit kerberos_5 1.2.6
mit kerberos_5 1.2.5
mit kerberos 1.0
mit kerberos_5 1.2.1
mit kerberos_5 1.2.7
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
mit kerberos_5 1.2.3
mit kerberos_5 1.1.1
mit kerberos_5 1.3
mit kerberos 1.2.2.beta1
CVE-2003-0138 HIGH

Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos 4
CVE-2003-0139 HIGH

Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos 4
CVE-2004-0523 HIGH

Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
sun seam 1.0.2
mit kerberos_5 1.0.6
sgi propack 2.4
mit kerberos_5 1.2.5
mit kerberos_5 1.3.3
sgi propack 3.0
sun solaris 8.0
mit kerberos_5 1.2.7
sun sunos 5.8
tinysofa tinysofa_enterprise_server 1.0_u1
mit kerberos 1.0.8
sun seam 1.0
mit kerberos_5 1.1.1
mit kerberos_5 1.2
sun solaris 9.0
mit kerberos_5 1.1
mit kerberos_5 1.2.6
mit kerberos 1.0
mit kerberos_5 1.2.1
tinysofa tinysofa_enterprise_server 1.0
mit kerberos_5 1.0
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
sun seam 1.0.1
mit kerberos_5 1.2.3
mit kerberos_5 1.3
mit kerberos 1.2.2.beta1
CVE-2004-0642 HIGH

Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
mit kerberos_5 *
redhat enterprise_linux_desktop 3.0
debian debian_linux 3.0
redhat enterprise_linux_workstation 3.0
redhat enterprise_linux_server 3.0
CVE-2004-0643 MEDIUM

Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-415,

Products Affected

Vendor Product Version
mit kerberos_5 *
redhat enterprise_linux_desktop 3.0
debian debian_linux 3.0
redhat enterprise_linux_workstation 3.0
redhat enterprise_linux_server 3.0
CVE-2004-0644 MEDIUM

The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.3.2
mit kerberos_5 1.2.6
mit kerberos_5 1.2.5
mit kerberos_5 1.3.3
mit kerberos_5 1.2.7
mit kerberos_5 1.3.4
mit kerberos_5 1.2.2
mit kerberos_5 1.2.4
mit kerberos_5 1.3.1
mit kerberos_5 1.2.3
mit kerberos_5 1.2.8
mit kerberos_5 1.3
CVE-2004-0772 HIGH

Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
openpkg openpkg 2.1
mit kerberos_5 *
debian debian_linux 3.0
openpkg openpkg 2.0
CVE-2004-0971 LOW

The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.3.4
CVE-2004-1189 HIGH

The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
mit kerberos_5 *
CVE-2005-0488 MEDIUM

Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.3.4
sun sunos 5.9
microsoft telnet_client 5.1.2600.2180
CVE-2005-1174 MEDIUM

MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.3.4
mit kerberos_5 1.4
mit kerberos_5 1.3.6
mit kerberos_5 1.3.1
mit kerberos_5 1.3.2
mit kerberos_5 1.3.3
mit kerberos_5 1.4.1
mit kerberos_5 1.3.5
mit kerberos_5 1.3
CVE-2005-1175 HIGH

Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.3.4
mit kerberos_5 1.4
mit kerberos_5 1.3.6
mit kerberos_5 1.3.1
mit kerberos_5 1.3.2
mit kerberos_5 1.3.3
mit kerberos_5 1.4.1
mit kerberos_5 1.3.5
mit kerberos_5 1.3
CVE-2005-1689 HIGH

Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
apple mac_os_x_server *
apple mac_os_x *
mit kerberos_5 *
debian debian_linux 3.0
debian debian_linux 3.1
CVE-2006-6143 HIGH

The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-824,

Products Affected

Vendor Product Version
mit kerberos_5 1.4.3
canonical ubuntu_linux 6.10
mit kerberos_5 1.4.2
mit kerberos_5 1.4.4
mit kerberos_5 1.4
mit kerberos_5 1.5
mit kerberos_5 1.4.1
canonical ubuntu_linux 6.06
mit kerberos_5 1.5.1
CVE-2007-2442 HIGH

The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-824,

Products Affected

Vendor Product Version
canonical ubuntu_linux 6.10
mit kerberos_5 *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 7.04
debian debian_linux 4.0
debian debian_linux 3.1
CVE-2007-4000 HIGH

The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-824,

Products Affected

Vendor Product Version
mit kerberos_5 *
fedoraproject fedora 7
CVE-2007-5894 HIGH

The reply function in ftpd.c in the gssftp ftpd in MIT Kerberos 5 (krb5) does not initialize the length variable when auth_type has a certain value, which has unknown impact and remote authenticated attack vectors. NOTE: the original disclosure misidentifies the conditions under which the uninitialized variable is used. NOTE: the vendor disputes this issue, stating " The 'length' variable is only uninitialized if 'auth_type' is neither the 'KERBEROS_V4' nor 'GSSAPI'; this condition cannot occur in the unmodified source code.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mit kerberos_5 -
CVE-2008-0062 HIGH

KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-665,

Products Affected

Vendor Product Version
fedoraproject fedora 8
canonical ubuntu_linux 6.10
mit kerberos_5 *
fedoraproject fedora 7
canonical ubuntu_linux 6.06
canonical ubuntu_linux 7.04
debian debian_linux 4.0
debian debian_linux 3.1
canonical ubuntu_linux 7.10
CVE-2008-0063 MEDIUM

The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-908,

Products Affected

Vendor Product Version
suse linux_enterprise_server 10
apple mac_os_x *
mit kerberos_5 *
suse linux_enterprise_desktop 10
opensuse opensuse 10.2
opensuse opensuse 10.3
fedoraproject fedora 7
debian debian_linux 4.0
canonical ubuntu_linux 7.10
fedoraproject fedora 8
canonical ubuntu_linux 6.10
suse linux_enterprise_software_development_kit 10
apple mac_os_x_server *
canonical ubuntu_linux 6.06
canonical ubuntu_linux 7.04
suse linux 10.1
debian debian_linux 3.1
CVE-2009-0846 HIGH

The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-824,

Products Affected

Vendor Product Version
apple mac_os_x *
fedoraproject fedora 9
mit kerberos_5 *
redhat enterprise_linux 4.0
canonical ubuntu_linux 8.10
redhat enterprise_linux_desktop 3.0
fedoraproject fedora 10
redhat enterprise_linux_eus 4.7
redhat enterprise_linux_server 3.0
canonical ubuntu_linux 7.10
redhat enterprise_linux_desktop 4.0
redhat enterprise_linux_server 2.0
redhat enterprise_linux_workstation 3.0
canonical ubuntu_linux 6.06
redhat enterprise_linux_server 4.0
redhat enterprise_linux_workstation 4.0
canonical ubuntu_linux 8.04
redhat enterprise_linux_workstation 2.0
CVE-2010-0283 HIGH

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2, and 1.8 alpha, allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid (1) AS-REQ or (2) TGS-REQ request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.7.1
mit kerberos_5 1.7
mit kerberos 5-1.8
CVE-2010-0628 MEDIUM

The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in the SPNEGO GSS-API functionality in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2 and 1.8 before 1.8.1 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid packet that triggers incorrect preparation of an error token.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.7.1
mit kerberos_5 1.7
mit kerberos_5 1.8
CVE-2010-0629 MEDIUM

Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
opensuse opensuse 11.0
mit kerberos_5 *
canonical ubuntu_linux 9.04
opensuse opensuse 11.1
fedoraproject fedora 11
suse linux_enterprise 11.0
canonical ubuntu_linux 8.10
canonical ubuntu_linux 8.04
CVE-2010-1320 MEDIUM

Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
mit kerberos_5 1.7.1
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.8.1
CVE-2010-1321 MEDIUM

The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
suse linux_enterprise_server 10
mit kerberos_5 *
fedoraproject fedora 13
opensuse opensuse 11.3
opensuse opensuse 11.0
suse linux_enterprise_server 11
opensuse opensuse 11.2
oracle database_server -
canonical ubuntu_linux 9.04
opensuse opensuse 11.1
fedoraproject fedora 11
debian debian_linux 6.0
canonical ubuntu_linux 10.04
canonical ubuntu_linux 9.10
fedoraproject fedora 12
debian debian_linux 5.0
canonical ubuntu_linux 6.06
canonical ubuntu_linux 8.04
CVE-2010-1322 MEDIUM

The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointer dereference, as demonstrated by a request from a Windows Active Directory client.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.8.2
mit kerberos_5 1.8
mit kerberos_5 1.8.1
CVE-2010-1323 LOW

MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.

CVSS 2.0

Severity: LOW

Problem Type: CWE-310,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.4
mit kerberos_5 1.5
mit kerberos_5 1.3.3
mit kerberos_5 1.6.1
mit kerberos 5-1.5.4
mit kerberos_5 1.5.3
mit kerberos_5 1.4.4
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.4.1
mit kerberos_5 1.3.5
mit kerberos_5 1.8.1
mit kerberos_5 1.6.2
mit kerberos_5 1.4.3
mit kerberos_5 1.4.2
mit kerberos_5 1.7.1
mit kerberos_5 1.3.2
mit kerberos_5 1.8
mit kerberos_5 1.5.1
mit kerberos_5 1.3.4
mit kerberos_5 1.6
mit kerberos_5 1.3.6
mit kerberos_5 1.3.1
mit kerberos_5 1.3
mit kerberos_5 1.5.2
CVE-2010-1324 MEDIUM

MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.7.1
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.8.1
CVE-2010-4020 LOW

MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.

CVSS 2.0

Severity: LOW

Problem Type: CWE-310,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.8.2
mit kerberos_5 1.8
mit kerberos_5 1.8.1
CVE-2010-4021 LOW

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."

CVSS 2.0

Severity: LOW

Problem Type: CWE-16,CWE-264,

Products Affected

Vendor Product Version
mit kerberos_5 1.7
CVE-2010-4022 MEDIUM

The do_standalone function in the MIT krb5 KDC database propagation daemon (kpropd) in Kerberos 1.7, 1.8, and 1.9, when running in standalone mode, does not properly handle when a worker child process "exits abnormally," which allows remote attackers to cause a denial of service (listening process termination, no new connections, and lack of updates in slave KVC) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.9
CVE-2011-0281 MEDIUM

The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.6
mit kerberos_5 1.7.1
mit kerberos 5-1.6.3
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.6.1
mit kerberos_5 1.8.1
mit kerberos_5 1.9
mit kerberos_5 1.6.2
CVE-2011-0282 MEDIUM

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.6
mit kerberos_5 1.7.1
mit kerberos 5-1.6.3
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.6.1
mit kerberos_5 1.8.1
mit kerberos_5 1.9
mit kerberos_5 1.6.2
CVE-2011-0283 MEDIUM

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.9
CVE-2011-0284 HIGH

Double free vulnerability in the prepare_error_as function in do_as_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when the PKINIT feature is enabled, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an e_data field containing typed data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.7.1
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.8.1
mit kerberos_5 1.9
CVE-2011-0285 HIGH

The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.7.1
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.8
mit kerberos_5 1.8.1
mit kerberos_5 1.9
CVE-2011-1526 MEDIUM

ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
suse linux_enterprise_server 10
fedoraproject fedora 14
opensuse opensuse 11.4
suse linux_enterprise_desktop 10
opensuse opensuse 11.3
suse linux_enterprise_server 11
suse linux_enterprise_software_development_kit 10
suse linux_enterprise_software_development_kit 11
debian debian_linux 6.0
fedoraproject fedora 15
mit krb5-appl *
debian debian_linux 5.0
suse linux_enterprise_desktop 11
CVE-2011-1527 HIGH

The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.9.1
mit kerberos_5 1.9
CVE-2011-1528 HIGH

The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function. NOTE: the Berkeley DB vector is covered by CVE-2011-4151.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.8.2
mit kerberos_5 1.8
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.9
mit kerberos_5 1.8.4
CVE-2011-1529 HIGH

The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.8.2
mit kerberos_5 1.8
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.9
mit kerberos_5 1.8.4
CVE-2011-1530 MEDIUM

The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
mit mit_kerberos 5.1.9.2
mit mit_kerberos 5.1.9
mit mit_kerberos 5.1.9.1
CVE-2011-4151 HIGH

The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.8.2
mit kerberos_5 1.8
mit kerberos_5 1.8.1
mit kerberos_5 1.8.4
CVE-2011-4862 HIGH

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
suse linux_enterprise_server 10
debian debian_linux 7.0
opensuse opensuse 11.4
suse linux_enterprise_desktop 10
opensuse opensuse 11.3
suse linux_enterprise_server 11
gnu inetutils *
suse linux_enterprise_software_development_kit 10
suse linux_enterprise_server 9
suse linux_enterprise_software_development_kit 11
debian debian_linux 6.0
fedoraproject fedora 15
mit krb5-appl *
heimdal_project heimdal *
fedoraproject fedora 16
freebsd freebsd *
debian debian_linux 5.0
suse linux_enterprise_desktop 11
CVE-2012-1012 MEDIUM

server/server_stubs.c in the kadmin protocol implementation in MIT Kerberos 5 (aka krb5) 1.10 before 1.10.1 does not properly restrict access to (1) SET_STRING and (2) GET_STRINGS operations, which might allow remote authenticated administrators to modify or read string attributes by leveraging the global list privilege.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
mit kerberos_5 1.10
mit kerberos_5 1.10.1
CVE-2012-1013 MEDIUM

The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.8.3
mit kerberos_5 1.9.3
mit kerberos_5 1.8
mit kerberos_5 1.10.1
mit kerberos_5 1.8.6
mit kerberos_5 1.9
mit kerberos_5 1.8.4
mit kerberos_5 1.8.5
mit kerberos_5 1.9.2
mit kerberos_5 1.10
mit kerberos_5 1.8.2
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
CVE-2013-1415 MEDIUM

The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mit kerberos_5 *
mit kerberos_5 1.11
opensuse opensuse 11.4
CVE-2013-1416 MEDIUM

The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 18
redhat enterprise_linux_server 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_eus 6.4
redhat enterprise_linux_server_aus 6.4
mit kerberos_5 *
redhat enterprise_linux_desktop 6.0
opensuse opensuse 12.1
opensuse opensuse 11.4
opensuse opensuse 12.3
fedoraproject fedora 17
opensuse opensuse 12.2
CVE-2013-1417 LOW

do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.11 before 1.11.4, when a single-component realm name is used, allows remote authenticated users to cause a denial of service (daemon crash) via a TGS-REQ request that triggers an attempted cross-realm referral for a host-based service principal.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.11.2
mit kerberos_5 1.11.1
CVE-2013-1418 MEDIUM

The setup_server_realm function in main.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.7, when multiple realms are configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mit kerberos_5 *
debian debian_linux 7.0
opensuse opensuse 13.1
opensuse opensuse 11.4
opensuse opensuse 12.3
opensuse opensuse 12.2
CVE-2013-6800 MEDIUM

An unspecified third-party database module for the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request, a different vulnerability than CVE-2013-1418.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos 5-1.10.7
mit kerberos_5 1.10
mit kerberos_5 1.10.4
mit kerberos 5-1.10.6
mit kerberos_5 1.10.1
mit kerberos_5 1.10.3
mit kerberos 5-1.10.5
mit kerberos_5 1.10.2
CVE-2014-4341 MEDIUM

MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_tus 7.7
mit kerberos_5 *
debian debian_linux 7.0
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_tus 7.6
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server 7.0
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_server_eus 7.7
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
fedoraproject fedora 20
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_tus 7.3
CVE-2014-4342 MEDIUM

MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
mit kerberos_5 1.9.4
mit kerberos_5 1.8.3
mit kerberos_5 1.11.3
mit kerberos_5 1.12.1
debian debian_linux 7.0
mit kerberos 5-1.10.6
mit kerberos_5 1.10.1
mit kerberos_5 1.8.6
mit kerberos_5 1.11.2
mit kerberos_5 1.10.3
mit kerberos_5 1.9
mit kerberos_5 1.12
mit kerberos_5 1.9.2
redhat enterprise_linux_server 7.0
mit kerberos 5-1.10.7
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.10.4
redhat enterprise_linux_desktop 7.0
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.9.3
mit kerberos_5 1.11
mit kerberos_5 1.7.1
mit kerberos_5 1.8
mit kerberos 5-1.10.5
mit kerberos_5 1.8.4
mit kerberos_5 1.8.5
mit kerberos 5-1.8
redhat enterprise_linux_hpc_node 7.0
mit kerberos_5 1.10
redhat enterprise_linux_workstation 7.0
mit kerberos_5 1.10.2
CVE-2014-4343 HIGH

Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.12.1
debian debian_linux 7.0
mit kerberos_5 1.10.1
mit kerberos_5 1.11.2
mit kerberos_5 1.10.3
mit kerberos_5 1.12
redhat enterprise_linux_server 7.0
redhat enterprise_linux_hpc_node 7.0
mit kerberos_5 1.10
mit kerberos_5 1.11.5
mit kerberos_5 1.10.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
mit kerberos_5 1.11.1
mit kerberos_5 1.10.2
mit kerberos_5 1.11.4
CVE-2014-4344 HIGH

The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.12.1
debian debian_linux 7.0
mit kerberos_5 1.10.1
mit kerberos_5 1.11.2
mit kerberos_5 1.10.3
mit kerberos_5 1.12
redhat enterprise_linux_server 7.0
redhat enterprise_linux_hpc_node 7.0
mit kerberos_5 1.10
mit kerberos_5 1.11.5
mit kerberos_5 1.10.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
mit kerberos_5 1.11.1
mit kerberos_5 1.10.2
mit kerberos_5 1.11.4
CVE-2014-4345 HIGH

Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
mit kerberos_5 1.9.4
mit kerberos_5 1.8.3
mit kerberos_5 1.11.3
mit kerberos_5 1.12.1
mit kerberos_5 1.10.1
mit kerberos_5 1.8.6
mit kerberos_5 1.11.2
mit kerberos_5 1.6.1
mit kerberos_5 1.10.3
mit kerberos_5 1.9
mit kerberos_5 1.12
mit kerberos_5 1.9.2
mit kerberos_5 1.11.5
mit kerberos_5 1.8.2
mit kerberos_5 1.7
mit kerberos_5 1.10.4
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.6.2
mit kerberos_5 1.9.3
mit kerberos_5 1.11
mit kerberos_5 1.7.1
mit kerberos_5 1.8
mit kerberos_5 1.8.4
mit kerberos_5 1.8.5
mit kerberos_5 1.6
mit kerberos_5 1.10
mit kerberos_5 1.10.2
CVE-2014-5351 LOW

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

CVSS 2.0

Severity: LOW

Problem Type: CWE-255,

Products Affected

Vendor Product Version
mit kerberos_5 1.12.2
CVE-2014-5352 HIGH

The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.11.5
mit kerberos_5 1.11.2
mit kerberos_5 1.12.2
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.12
CVE-2014-5353 LOW

The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_tus 6.6
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_server_aus 6.6
mit kerberos_5 *
fedoraproject fedora 22
debian debian_linux 7.0
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server 7.0
opensuse opensuse 13.2
canonical ubuntu_linux 10.04
opensuse opensuse 13.1
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_eus 6.6
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_tus 7.7
oracle solaris 11.2
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 14.10
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.4
canonical ubuntu_linux 12.04
redhat enterprise_linux_eus 7.6
oracle solaris 10
CVE-2014-5354 LOW

plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.12.1
mit kerberos 5_1.13
mit kerberos_5 1.12.2
mit kerberos_5 1.12
CVE-2014-5355 MEDIUM

MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.9.4
mit kerberos_5 1.8.3
mit kerberos_5 1.13
mit kerberos_5 1.13.1
mit kerberos_5 1.5
mit kerberos_5 1.2.5
mit kerberos_5 1.3.3
mit kerberos_5 1.8.6
mit kerberos_5 1.6.1
mit kerberos_5 1.9
mit kerberos_5 1.12
mit kerberos_5 1.5.3
mit kerberos_5 1.9.2
mit kerberos_5 1.7
mit kerberos_5 1.2.8
mit kerberos_5 1.6.2
mit kerberos_5 1.4.3
mit kerberos_5 1.9.3
mit kerberos_5 1.2.1
mit kerberos_5 1.3.4
mit kerberos_5 1.2.2
mit kerberos_5 1.6
mit kerberos_5 1.3.6
mit kerberos_5 1.3
mit kerberos_5 1.5.2
mit kerberos_5 1.11.3
mit kerberos_5 1.4
mit kerberos_5 1.12.1
mit kerberos_5 1.10.1
mit kerberos_5 1.11.2
mit kerberos_5 1.10.3
mit kerberos_5 1.2.7
mit kerberos_5 1.4.4
mit kerberos_5 1.11.5
mit kerberos_5 1.8.2
mit kerberos_5 1.10.4
mit kerberos_5 1.4.1
mit kerberos_5 1.3.5
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.4.2
mit kerberos_5 1.2
mit kerberos_5 1.11
mit kerberos_5 1.7.1
mit kerberos_5 1.3.2
mit kerberos_5 1.1
mit kerberos_5 1.2.6
mit kerberos_5 1.8
mit kerberos_5 1.12.2
mit kerberos_5 1.5.1
mit kerberos_5 1.8.4
mit kerberos_5 1.8.5
mit kerberos_5 1.2.4
mit kerberos_5 1.10
mit kerberos_5 1.3.1
mit kerberos_5 1.2.3
mit kerberos_5 1.10.2
CVE-2014-9421 HIGH

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.11.5
mit kerberos_5 1.11.2
mit kerberos_5 1.12.2
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.12
CVE-2014-9422 MEDIUM

The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.11.5
mit kerberos_5 1.11.2
mit kerberos_5 1.12.2
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.12
CVE-2014-9423 MEDIUM

The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mit kerberos_5 1.11.3
mit kerberos_5 1.11
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.11.5
mit kerberos_5 1.11.2
mit kerberos_5 1.12.2
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.12
CVE-2015-2694 MEDIUM

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.13.1
mit kerberos_5 1.12.3
mit kerberos_5 1.12.2
mit kerberos_5 1.12
CVE-2015-2695 MEDIUM

lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-763,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
mit kerberos_5 *
debian debian_linux 7.0
suse linux_enterprise_software_development_kit 12
debian debian_linux 8.0
oracle solaris 11.3
suse linux_enterprise_server 11
opensuse leap 42.1
suse linux_enterprise_software_development_kit 11
canonical ubuntu_linux 12.04
opensuse opensuse 13.2
opensuse opensuse 13.1
canonical ubuntu_linux 15.10
debian debian_linux 9.0
suse linux_enterprise_server 12
suse linux_enterprise_desktop 11
suse linux_enterprise_desktop 12
CVE-2015-2696 HIGH

lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-18,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
mit kerberos_5 *
debian debian_linux 7.0
suse linux_enterprise_software_development_kit 12
debian debian_linux 8.0
opensuse leap 42.1
canonical ubuntu_linux 12.04
opensuse opensuse 13.2
opensuse opensuse 13.1
canonical ubuntu_linux 15.10
debian debian_linux 9.0
suse linux_enterprise_server 12
suse linux_enterprise_desktop 12
CVE-2015-2697 MEDIUM

The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.04
mit kerberos_5 *
debian debian_linux 7.0
suse linux_enterprise_software_development_kit 12
debian debian_linux 8.0
oracle solaris 11.3
opensuse leap 42.1
canonical ubuntu_linux 12.04
opensuse opensuse 13.2
opensuse opensuse 13.1
canonical ubuntu_linux 15.10
debian debian_linux 9.0
suse linux_enterprise_server 12
suse linux_enterprise_desktop 12
CVE-2015-2698 HIGH

The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
mit kerberos_5 1.14
CVE-2015-8629 LOW

The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
mit kerberos_5 *
debian debian_linux 7.0
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_eus 6.7
debian debian_linux 8.0
redhat enterprise_linux_server_tus 7.3
oracle solaris 11.3
redhat enterprise_linux_server 7.0
opensuse opensuse 13.2
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server 6.0
redhat enterprise_linux_workstation 6.0
oracle linux 7
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.4
oracle linux 6
opensuse leap 42.1
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_eus 7.2
oracle solaris 10
redhat enterprise_linux_workstation 7.0
CVE-2015-8630 MEDIUM

The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.12.4
mit kerberos_5 1.13.3
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.13.1
mit kerberos_5 1.14
mit kerberos_5 1.12.3
mit kerberos_5 1.13.2
mit kerberos_5 1.12.2
mit kerberos_5 1.12
mit kerberos_5 1.12.5
CVE-2015-8631 MEDIUM

Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-772,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
mit kerberos_5 *
debian debian_linux 7.0
redhat enterprise_linux_server_tus 7.2
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_eus 6.7
debian debian_linux 8.0
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server 7.0
opensuse opensuse 13.2
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server 6.0
redhat enterprise_linux_workstation 6.0
oracle linux 7
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_eus 7.3
redhat enterprise_linux_eus 7.4
oracle linux 6
opensuse leap 42.1
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_workstation 7.0
CVE-2016-3119 LOW

The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mit kerberos_5 1.9.4
mit kerberos_5 1.14.1
mit kerberos_5 1.8.3
mit kerberos_5 1.13
mit kerberos_5 1.13.1
mit kerberos_5 1.5
mit kerberos_5 1.2.5
mit kerberos_5 1.3.3
mit kerberos_5 1.8.6
mit kerberos_5 1.6.1
mit kerberos_5 1.9
mit kerberos_5 1.12
mit kerberos_5 1.5.3
mit kerberos_5 1.9.2
mit kerberos_5 1.13.4
mit kerberos_5 1.14
mit kerberos_5 1.7
mit kerberos_5 1.1.1
mit kerberos_5 1.2.8
mit kerberos_5 1.6.2
mit kerberos_5 1.4.3
mit kerberos_5 1.9.3
mit kerberos_5 1.2.1
mit kerberos_5 1.0
opensuse leap 42.1
mit kerberos_5 1.3.4
mit kerberos_5 1.2.2
mit kerberos_5 1.6
mit kerberos_5 1.3.6
mit kerberos_5 1.3
mit kerberos_5 1.5.2
mit kerberos_5 1.13.3
mit kerberos_5 1.0.6
mit kerberos_5 1.11.3
mit kerberos_5 1.4
mit kerberos_5 1.12.1
mit kerberos_5 1.10.1
mit kerberos_5 1.11.2
mit kerberos_5 1.10.3
mit kerberos_5 1.2.7
mit kerberos_5 1.14.0
mit kerberos_5 1.4.4
opensuse opensuse 13.2
mit kerberos_5 1.11.5
mit kerberos_5 1.8.2
mit kerberos_5 1.10.4
mit kerberos_5 1.12.3
mit kerberos_5 1.4.1
mit kerberos_5 1.3.5
mit kerberos_5 1.13.2
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.4.2
mit kerberos_5 1.2
mit kerberos_5 1.11
mit kerberos_5 1.7.1
mit kerberos_5 1.3.2
mit kerberos_5 1.1
mit kerberos_5 1.2.6
mit kerberos_5 1.8
mit kerberos_5 1.12.2
mit kerberos_5 1.5.1
mit kerberos_5 1.8.4
mit kerberos_5 1.8.5
mit kerberos_5 1.2.4
mit kerberos_5 1.10
mit kerberos_5 1.3.1
mit kerberos_5 1.2.3
mit kerberos_5 1.10.2
CVE-2016-3120 MEDIUM

The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mit kerberos_5 1.13.3
mit kerberos_5 1.14.1
mit kerberos_5 1.13.5
mit kerberos_5 1.13.6
mit kerberos_5 1.13.4
mit kerberos_5 1.13
mit kerberos_5 1.13.1
mit kerberos_5 1.14
mit kerberos_5 1.13.2
mit kerberos_5 1.14.2
CVE-2017-11368 MEDIUM

In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,

Products Affected

Vendor Product Version
mit kerberos_5 1.9.4
mit kerberos_5 1.13.3
mit kerberos_5 1.14.1
mit kerberos_5 1.13.5
mit kerberos_5 1.8.3
mit kerberos_5 1.11.3
mit kerberos_5 1.12.1
mit kerberos_5 1.13
mit kerberos_5 1.13.1
mit kerberos_5 1.10.1
mit kerberos_5 1.8.6
mit kerberos_5 1.11.2
mit kerberos_5 1.10.3
mit kerberos_5 1.9
mit kerberos_5 1.14.5
mit kerberos_5 1.12
fedoraproject fedora 26
mit kerberos_5 1.9.2
mit kerberos_5 1.11.5
mit kerberos_5 1.8.2
mit kerberos_5 1.14
mit kerberos_5 1.7
mit kerberos_5 1.10.4
mit kerberos_5 1.12.3
mit kerberos_5 1.15.1
mit kerberos_5 1.13.2
mit kerberos_5 1.8.1
mit kerberos_5 1.9.1
mit kerberos_5 1.14.3
mit kerberos_5 1.11.1
mit kerberos_5 1.11.4
mit kerberos_5 1.9.3
mit kerberos_5 1.11
mit kerberos_5 1.7.1
fedoraproject fedora 25
mit kerberos_5 1.8
mit kerberos 5-1.13.7
mit kerberos_5 1.12.2
mit kerberos_5 1.14.2
mit kerberos_5 1.8.4
mit kerberos_5 1.8.5
mit kerberos_5 1.13.6
mit kerberos_5 1.10
mit kerberos_5 1.14.4
mit kerberos_5 1.15
mit kerberos_5 1.10.2
CVE-2017-11462 HIGH

Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
fedoraproject fedora 26
mit kerberos_5 1.14.1
mit kerberos_5 1.14.4
fedoraproject fedora 25
mit kerberos_5 1.14
mit kerberos_5 1.15.1
mit kerberos_5 1.14.3
mit kerberos_5 1.15
mit kerberos_5 1.14.2
mit kerberos_5 1.14.5
CVE-2017-15088 HIGH

plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-119,

Products Affected

Vendor Product Version
mit kerberos_5 *
CVE-2017-7562 MEDIUM

An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-295,CWE-287,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
mit kerberos_5 *
redhat enterprise_linux 7.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
CVE-2018-20217 LOW

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-617,

Products Affected

Vendor Product Version
mit kerberos *
debian debian_linux 9.0
debian debian_linux 8.0
CVE-2018-5709 MEDIUM

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
mit kerberos *
CVE-2018-5710 MEDIUM

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mit kerberos *
CVE-2018-5729 MEDIUM

MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
fedoraproject fedora 26
redhat enterprise_linux_server 7.0
mit kerberos_5 *
debian debian_linux 9.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
debian debian_linux 8.0
fedoraproject fedora 27
CVE-2018-5730 MEDIUM

MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.8 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N 1.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-90,

Products Affected

Vendor Product Version
fedoraproject fedora 26
redhat enterprise_linux_server 7.0
mit kerberos_5 *
debian debian_linux 9.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
debian debian_linux 8.0
fedoraproject fedora 27
CVE-2019-14844 MEDIUM

A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote unauthenticated user could use this flaw to crash the KDC.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-628,NVD-CWE-Other,

Products Affected

Vendor Product Version
fedoraproject fedora 29
fedoraproject fedora 30
mit kerberos_5 *
fedoraproject fedora 31
CVE-2019-25017 MEDIUM

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
mit krb5-appl *
CVE-2019-25018 MEDIUM

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mit krb5-appl *
CVE-2020-14000 HIGH

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented. NOTE: the scratch.mit.edu hosted service is not affected because of the lack of worker scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
mit scratch-vm *
CVE-2020-27428 MEDIUM

A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mit scratch-svg-renderer 0.2.0
CVE-2020-28196 MEDIUM

MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,CWE-674,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
netapp snapcenter -
mit kerberos_5 *
oracle communications_pricing_design_center 12.0.0.3.0
fedoraproject fedora 31
oracle mysql_server *
netapp cloud_backup -
netapp oncommand_insight -
netapp oncommand_workflow_automation -
oracle communications_offline_mediation_controller 12.0.0.3.0
oracle communications_cloud_native_core_policy 1.14.0
CVE-2020-7750 MEDIUM

This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mit scratch-svg-renderer 0.2.0
mit scratch-svg-renderer 0.1.0
CVE-2021-32471 HIGH

Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mit universal_turing_machine -
CVE-2021-36222 MEDIUM

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
debian debian_linux 10.0
netapp snapcenter -
mit kerberos_5 *
oracle mysql_server *
netapp oncommand_insight -
netapp oncommand_workflow_automation -
CVE-2021-37750 MEDIUM

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
mit kerberos_5 *
debian debian_linux 9.0
fedoraproject fedora 33
oracle communications_cloud_native_core_network_slice_selection_function 22.1.0
starwindsoftware starwind_virtual_san v8r13
CVE-2022-39028

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Products Affected

Vendor Product Version
gnu inetutils *
debian debian_linux 10.0
mit kerberos_5 *
netkit-telnet_project netkit-telnet *
CVE-2022-42898

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mit kerberos_5 *
samba samba *
heimdal_project heimdal *
mit kerberos_5 1.20
CVE-2023-36054

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
debian debian_linux 10.0
mit kerberos_5 1.21
netapp hci -
mit kerberos_5 *
netapp management_services_for_element_software -
netapp ontap_tools -
netapp clustered_data_ontap 9.0
CVE-2023-39975

kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mit kerberos_5 *
CVE-2024-26458

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
netapp h610s_firmware -
netapp h615c_firmware -
netapp ontap_select_deploy_administration_utility -
netapp cloud_volumes_ontap_mediator -
netapp ontap_9 -
netapp h610c_firmware -
mit kerberos_5 1.21.2
netapp management_services_for_element_software_and_netapp_hci -
CVE-2024-26461

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
netapp h610s_firmware -
netapp h615c_firmware -
netapp ontap_select_deploy_administration_utility -
netapp cloud_volumes_ontap_mediator -
netapp ontap_9 -
netapp h610c_firmware -
mit kerberos_5 1.21.2
netapp management_services_for_element_software_and_netapp_hci -
CVE-2024-26462

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.

Products Affected

Vendor Product Version
netapp active_iq_unified_manager -
netapp h610s_firmware -
netapp h615c_firmware -
netapp ontap_select_deploy_administration_utility -
netapp cloud_volumes_ontap_mediator -
netapp h610c_firmware -
mit kerberos_5 1.21.2
netapp management_services_for_element_software_and_netapp_hci -
CVE-2024-37370

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Products Affected

Vendor Product Version
mit kerberos_5 *
CVE-2024-37371

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Products Affected

Vendor Product Version
mit kerberos_5 *
debian debian_linux 12.0
debian debian_linux 11.0