CVE-2001-0033 — External Initialization of Trusted Variables or Data Stores in Kerberos

CWE-454 — External Initialization of Trusted Variables or Data Stores4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 84.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KTH Kerberos Netbsd

Timeline

PublishedFeb 16

Latest updateApr 30

Description

KTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate directory using with the KRBCONFDIR environmental variable, which allows the user to gain additional privileges.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages1 packages

▶NVDkth/kth_kerberos4

Also affects: Netbsd 1.5

Patches

Patch: archives.neohapsis.com ↗Patch: archives.neohapsis.com ↗Patch: archives.neohapsis.com ↗

🔴Vulnerability Details

GHSA

GHSA-wcg5-3v2j-2jwv: KTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate direct↗2022-04-30

▶

CVEList

CVE-2001-0033: KTH Kerberos IV allows local users to change the configuration of a Kerberos server running at an elevated privilege by specifying an alternate direct↗2001-05-07

▶

📐Framework References

CWE

External Initialization of Trusted Variables or Data Stores↗

▶