LDAP Injection in krb5

Do your applications use this vulnerable package? Test your applications

Overview

MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

References

Debian Bug Report
Debian Security Announcement
Debian Security Tracker
Fedora Security Update
Fedora Security Update
GitHub Commit
REDHAT
RHSA Security Advisory
RedHat Bugzilla Bug
Security Tracker
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

High
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

None

CVE: CVE-2018-5730
CWE: CWE-90
Snyk ID: SNYK-DEBIAN9-KRB5-396210
Disclosed: 06 Mar, 2018
Published: 06 Mar, 2018

LDAP Injection
Affecting krb5 package, versions *

Overview

References

CVSS Score

LDAP Injection Affecting krb5 package, versions *

Overview

References

LDAP Injection
Affecting krb5 package, versions *