LDAP Injection

Affecting krb5 package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

References

CVSS Score

3.8
low severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CVE
CVE-2018-5730
CWE
CWE-90
Snyk ID
SNYK-DEBIAN9-KRB5-396210
Disclosed
06 Mar, 2018
Published
06 Mar, 2018