Lucene search

K
mageiaGentoo FoundationMGASA-2024-0253
HistoryJul 03, 2024 - 7:36 p.m.

Updated krb5 packages fix security vulnerabilities

2024-07-0319:36:28
Gentoo Foundation
advisories.mageia.org
18
krb5 packages
security vulnerabilities
plaintext extra count
gss krb5 wrap token
truncated
invalid memory reads
gss message token handling
cve-2024-37370
cve-2024-37371
unix

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

37.7%

Before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. (CVE-2024-37370) Before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. (CVE-2024-37371)

OSVersionArchitecturePackageVersionFilename
Mageia9noarchkrb5< 1.20.1-1.2krb5-1.20.1-1.2.mga9

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

37.7%