CVE-2014-9422

2015-02-0300:00:00

ubuntu.com

6.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:H/Au:S/C:P/I:P/A:C

0.008 Low

EPSS

Percentile

81.6%

JSON

The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind
in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and
1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/*
authorization check and obtain administrative access by leveraging access
to a two-component principal with an initial “kadmind” substring, as
demonstrated by a “ka/x” principal.

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchkrb5< 1.8.1+dfsg-2ubuntu0.14UNKNOWN
ubuntu12.04noarchkrb5< 1.10+dfsg~beta1-2ubuntu0.6UNKNOWN
ubuntu14.04noarchkrb5< 1.12+dfsg-2ubuntu5.1UNKNOWN
ubuntu14.10noarchkrb5< 1.12.1+dfsg-10ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	krb5	< 1.8.1+dfsg-2ubuntu0.14	UNKNOWN
ubuntu	12.04	noarch	krb5	< 1.10+dfsg~beta1-2ubuntu0.6	UNKNOWN
ubuntu	14.04	noarch	krb5	< 1.12+dfsg-2ubuntu5.1	UNKNOWN
ubuntu	14.10	noarch	krb5	< 1.12.1+dfsg-10ubuntu0.1	UNKNOWN