9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
78.2%
Severity: High
Date : 2017-10-05
CVE-ID : CVE-2017-11368 CVE-2017-11462
Package : krb5
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-414
The package krb5 before version 1.15.2-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Upgrade to 1.15.2-1.
The problems have been fixed upstream in version 1.15.2.
None.
A denial of service flaw was found in MIT Kerberos krb5kdc service. An
authenticated attacker could use this flaw to cause krb5kdc to exit
with an assertion failure by making an invalid S4U2Self or S4U2Proxy
request.
A double free vulnerability has been discovered in MIT Kerberos 5 (aka
krb5) allowing attackers to crash the application or possibly execute
arbitrary code via vectors involving automatic deletion of security
contexts on error.
A remote attacker is able to crash the application or possibly execute
arbitrary code on the affected host.
https://web.mit.edu/kerberos/krb5-1.15/
https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598
https://bugzilla.redhat.com/show_bug.cgi?id=1488873
https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
https://security.archlinux.org/CVE-2017-11368
https://security.archlinux.org/CVE-2017-11462
krbdev.mit.edu/rt/Ticket/Display.html?id=8598
bugzilla.redhat.com/show_bug.cgi?id=1488873
github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
security.archlinux.org/AVG-414
security.archlinux.org/CVE-2017-11368
security.archlinux.org/CVE-2017-11462
web.mit.edu/kerberos/krb5-1.15/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
78.2%