CVE-2014-9421

2015-02-0300:00:00

ubuntu.com

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.018 Low

EPSS

Percentile

88.0%

JSON

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT
Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x
before 1.13.1 does not properly handle partial XDR deserialization, which
allows remote authenticated users to cause a denial of service
(use-after-free and double free, and daemon crash) or possibly execute
arbitrary code via malformed XDR data, as demonstrated by data sent to
kadmind.

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchkrb5< 1.8.1+dfsg-2ubuntu0.14UNKNOWN
ubuntu12.04noarchkrb5< 1.10+dfsg~beta1-2ubuntu0.6UNKNOWN
ubuntu14.04noarchkrb5< 1.12+dfsg-2ubuntu5.1UNKNOWN
ubuntu14.10noarchkrb5< 1.12.1+dfsg-10ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	krb5	< 1.8.1+dfsg-2ubuntu0.14	UNKNOWN
ubuntu	12.04	noarch	krb5	< 1.10+dfsg~beta1-2ubuntu0.6	UNKNOWN
ubuntu	14.04	noarch	krb5	< 1.12+dfsg-2ubuntu5.1	UNKNOWN
ubuntu	14.10	noarch	krb5	< 1.12.1+dfsg-10ubuntu0.1	UNKNOWN