Key Management Errors

Affecting heimdal package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

References

CVSS Score

7.4
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE
CVE-2019-12098
CWE
CWE-320
Snyk ID
SNYK-UBUNTU1604-HEIMDAL-346652
Disclosed
15 May, 2019
Published
15 May, 2019