CVE-2018-5710

2018-01-1600:00:00

ubuntu.com

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

51.8%

JSON

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The
pre-defined function “strlen” is getting a “NULL” string as a parameter
value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key
Distribution Center (KDC), which allows remote authenticated users to cause
a denial of service (NULL pointer dereference) via a modified kadmin
client.

Bugs

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889685>

Notes

Author	Note
ccdm94	this CVE was patched as CVE-2018-5729.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchkrb5< 1.16-2ubuntu0.1UNKNOWN
ubuntu14.04noarchkrb5< 1.12+dfsg-2ubuntu5.4) Available with Ubuntu Pro or Ubuntu Pro (Infra-onlyUNKNOWN
ubuntu16.04noarchkrb5< 1.13.2+dfsg-5ubuntu2.1) Available with Ubuntu Pro or Ubuntu Pro (Infra-onlyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	krb5	< 1.16-2ubuntu0.1	UNKNOWN
ubuntu	14.04	noarch	krb5	< 1.12+dfsg-2ubuntu5.4) Available with Ubuntu Pro or Ubuntu Pro (Infra-only	UNKNOWN
ubuntu	16.04	noarch	krb5	< 1.13.2+dfsg-5ubuntu2.1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only	UNKNOWN