Vulnerability DatabaseCVE-2023-36054
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-36054
August 07, 2023
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
Related ResourcesĀ (6)
https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
https://web.mit.edu/kerberos/www/advisories/
https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html
https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
https://security.netapp.com/advisory/ntap-20230908-0004/
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Access of Uninitialized Pointer
CWE-824
EPSS
Base Score:
0.70