Information Exposure

Affecting krb5 package, versions <1.12.1+dfsg-17

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5 package. See Remediation section below for Debian:9 relevant versions.

The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.

Remediation

Upgrade Debian:9 krb5 to version 1.12.1+dfsg-17 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE
CVE-2014-9423
CWE
CWE-200
Snyk ID
SNYK-DEBIAN9-KRB5-395862
Disclosed
19 Feb, 2015
Published
19 Feb, 2015