CVE-2023-25566

Опубликовано: 14 фев. 2023

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, a memory leak can be triggered when parsing usernames which can trigger a denial-of-service. The domain portion of a username may be overridden causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main gss_accept_sec_context entry point, potentially causing a denial-of-service. This issue is fixed in version 1.2.0.

A flaw was found in GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication. A memory leak can be triggered when parsing usernames, triggering a denial of service. The domain portion of a username may be overridden, causing an allocated memory area the size of the domain name to be leaked. This flaw allows an attacker to leak memory via the main gss_accept_sec_context entry point, potentially causing a denial of service.

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-401

https://bugzilla.redhat.com/show_bug.cgi?id=2172022gssntlmssp: memory leak when parsing usernames

EPSS

Процентиль: 26%

0.00089

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2023-25566

CVSS3: 7.5

ubuntu

больше 2 лет назад

CVE-2023-25566

CVSS3: 7.5

nvd

больше 2 лет назад

CVE-2023-25566

CVSS3: 7.5

msrc

6 месяцев назад

Описание отсутствует

CVE-2023-25566

CVSS3: 7.5

debian

больше 2 лет назад

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implement ...

openSUSE-SU-2023:0048-1

suse-cvrf

больше 2 лет назад

Security update for gssntlmssp

EPSS

Процентиль: 26%

0.00089

Низкий

7.5 High

CVSS3