Veracode Vulnerability DatabaseVERACODE:12019Denial Of Service (DoS)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N
krb5 is vulnerable to denial of service (DoS) attacks. The vulnerability exists as the xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether ‘\0’ characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.
References
krbdev.mit.edu/rt/Ticket/Display.html?id=8341
lists.opensuse.org/opensuse-updates/2016-02/msg00059.html
lists.opensuse.org/opensuse-updates/2016-02/msg00110.html
rhn.redhat.com/errata/RHSA-2016-0493.html
rhn.redhat.com/errata/RHSA-2016-0532.html
www.debian.org/security/2016/dsa-3466
www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
www.securityfocus.com/bid/82801
www.securitytracker.com/id/1034914
access.redhat.com/security/updates/classification/#moderate
github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb
rhn.redhat.com/errata/RHSA-2016-0493.html
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:N/A:N