CVE-2022-42898
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.0%
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has “a similar bug.”
References
bugzilla.samba.org/show_bug.cgi?id=15203
github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c
github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
security.gentoo.org/glsa/202309-06
security.gentoo.org/glsa/202310-06
security.netapp.com/advisory/ntap-20230216-0008/
security.netapp.com/advisory/ntap-20230223-0001/
web.mit.edu/kerberos/advisories/
web.mit.edu/kerberos/krb5-1.19/
web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt
www.samba.org/samba/security/CVE-2022-42898.html
Social References
More
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.2 High
AI Score
Confidence
High
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.0%