| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-37750 |
476 |
|
|
2021-08-23 |
2021-10-07 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field. |
|
2 |
CVE-2021-36222 |
476 |
|
|
2021-07-22 |
2021-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation. |
|
3 |
CVE-2020-28196 |
674 |
|
|
2020-11-06 |
2022-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit. |
|
4 |
CVE-2019-14844 |
|
|
|
2019-09-26 |
2022-03-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote unauthenticated user could use this flaw to crash the KDC. |
|
5 |
CVE-2018-5730 |
90 |
|
|
2018-03-06 |
2022-04-18 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. |
|
6 |
CVE-2018-5729 |
476 |
|
DoS Bypass |
2018-03-06 |
2021-10-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module. |
|
7 |
CVE-2017-15088 |
119 |
|
DoS Exec Code Overflow |
2017-11-23 |
2021-01-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat. |
|
8 |
CVE-2017-7562 |
287 |
|
Bypass |
2018-07-26 |
2020-01-21 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances. |
|
9 |
CVE-2015-8631 |
772 |
|
DoS |
2016-02-13 |
2021-02-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name. |
|
10 |
CVE-2015-8629 |
125 |
|
DoS +Info |
2016-02-13 |
2021-02-02 |
2.1 |
None |
Remote |
High |
??? |
Partial |
None |
None |
|
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. |
|
11 |
CVE-2015-2697 |
125 |
|
DoS |
2015-11-09 |
2021-02-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request. |
|
12 |
CVE-2015-2696 |
18 |
|
DoS |
2015-11-09 |
2021-02-02 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call. |
|
13 |
CVE-2015-2695 |
763 |
|
DoS |
2015-11-09 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call. |
|
14 |
CVE-2014-5353 |
476 |
|
DoS |
2014-12-16 |
2021-02-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. |
|
15 |
CVE-2014-4341 |
125 |
|
DoS |
2014-07-20 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. |
|
16 |
CVE-2013-1418 |
476 |
|
DoS |
2013-11-18 |
2021-02-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The setup_server_realm function in main.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.7, when multiple realms are configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request. |
|
17 |
CVE-2013-1416 |
476 |
|
DoS |
2013-04-19 |
2021-02-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request. |
|
18 |
CVE-2013-1415 |
476 |
|
DoS |
2013-03-05 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request. |
|
19 |
CVE-2012-1016 |
476 |
|
DoS |
2013-03-05 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request. |
|
20 |
CVE-2010-1321 |
476 |
|
DoS |
2010-05-19 |
2021-02-02 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing. |
|
21 |
CVE-2007-2798 |
787 |
|
Exec Code Overflow |
2007-06-26 |
2021-02-02 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. |
|
22 |
CVE-2007-2443 |
|
|
Exec Code |
2007-06-26 |
2021-02-02 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value. |
|
23 |
CVE-2007-2442 |
|
|
Exec Code |
2007-06-26 |
2021-02-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup. |
|
24 |
CVE-2007-1216 |
415 |
|
Exec Code |
2007-04-06 |
2021-02-02 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding". |
|
25 |
CVE-2007-0957 |
787 |
|
Exec Code Overflow |
2007-04-06 |
2021-02-02 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers. |
|
26 |
CVE-2007-0956 |
306 |
|
Bypass |
2007-04-06 |
2021-02-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882. |
|
27 |
CVE-2006-6144 |
|
|
DoS |
2006-12-31 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The "mechglue" abstraction interface of the GSS-API library for Kerberos 5 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, allows remote attackers to cause a denial of service (crash) via unspecified vectors that cause mechglue to free uninitialized pointers. |
|
28 |
CVE-2004-1189 |
787 |
|
Exec Code Overflow |
2004-12-31 |
2021-02-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow. |
|
29 |
CVE-2004-0643 |
415 |
|
Exec Code |
2004-09-28 |
2021-02-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code. |
|
30 |
CVE-2004-0642 |
415 |
|
Exec Code |
2004-09-28 |
2021-02-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code. |
|
31 |
CVE-2002-2443 |
20 |
|
DoS |
2013-05-29 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. |
|
32 |
CVE-2002-1235 |
|
|
Exec Code Overflow |
2002-11-04 |
2020-01-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack. |
|
33 |
CVE-2001-1323 |
120 |
|
DoS Exec Code Overflow |
2001-05-16 |
2021-11-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via base-64 encoded data, which is not properly handled when the radix_encode function processes file glob output from the ftpglob function. |
|
34 |
CVE-2000-0548 |
120 |
|
DoS Overflow |
2000-06-09 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the e_msg variable in the kerb_err_reply function. |
|
35 |
CVE-2000-0547 |
120 |
|
DoS Overflow |
2000-06-09 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the localrealm variable in the process_v4 function. |
|
36 |
CVE-2000-0546 |
120 |
|
DoS Overflow |
2000-06-09 |
2021-02-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in Kerberos 4 KDC program allows remote attackers to cause a denial of service via the lastrealm variable in the set_tgtkey function. |
