Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-9421

Опубликовано: 03 фев. 2015
Источник: redhat
CVSS2: 6.5
EPSS Низкий

Описание

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets.

Отчет

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5krb5Will not fix
Red Hat JBoss Enterprise Application Platform 6krb5Not affected
Red Hat JBoss Enterprise Web Server 2krb5Not affected
Red Hat Enterprise Linux 6krb5FixedRHSA-2015:079409.04.2015
Red Hat Enterprise Linux 7krb5FixedRHSA-2015:043905.03.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-416
https://bugzilla.redhat.com/show_bug.cgi?id=1179857krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)

EPSS

Процентиль: 88%
0.03849
Низкий

6.5 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-9421

ubuntu
больше 10 лет назад

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

nvd логотип

CVE-2014-9421

nvd
больше 10 лет назад

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

debian логотип

CVE-2014-9421

debian
больше 10 лет назад

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in ...

github логотип

GHSA-cv75-v3vc-j2vj

github
больше 3 лет назад

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

suse-cvrf логотип

SUSE-SU-2015:0257-1

suse-cvrf
больше 10 лет назад

Security update for krb5

EPSS

Процентиль: 88%
0.03849
Низкий

6.5 Medium

CVSS2