6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
67.7%
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and
1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated
user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship between
n_key_data and the key_data array count.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | krb5 | < 1.16-2ubuntu0.4+esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | krb5 | < 1.17-6ubuntu4.4 | UNKNOWN |
ubuntu | 22.04 | noarch | krb5 | < 1.19.2-2ubuntu0.3 | UNKNOWN |
ubuntu | 23.04 | noarch | krb5 | < 1.20.1-1ubuntu0.1 | UNKNOWN |
ubuntu | 14.04 | noarch | krb5 | < 1.12+dfsg-2ubuntu5.4+esm4 | UNKNOWN |
ubuntu | 16.04 | noarch | krb5 | < 1.13.2+dfsg-5ubuntu2.2+esm4 | UNKNOWN |
github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
launchpad.net/bugs/cve/CVE-2023-36054
nvd.nist.gov/vuln/detail/CVE-2023-36054
security-tracker.debian.org/tracker/CVE-2023-36054
ubuntu.com/security/notices/USN-6467-1
ubuntu.com/security/notices/USN-6467-2
web.mit.edu/kerberos/www/advisories/
www.cve.org/CVERecord?id=CVE-2023-36054