CVE-2007-5901
published 2007-12-06CVE-2007-5901: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack…
PriorityP414medium6.9CVSS 2.0
AVLACMAuNCCICAC
EPSS
0.47%
37.2th percentile
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.6.dfsg.4~beta1-1 (bookworm) | krb5 1.6.dfsg.4~beta1-1 (bookworm) |
| mit | kerberos_5 | <= 1.6.3_kdc | — |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-1 | 1.6.dfsg.4~beta1-1 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-1 | 1.6.dfsg.4~beta1-1 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-1 | 1.6.dfsg.4~beta1-1 |
| mit | krb5 | >= 0 < 1.6.dfsg.4~beta1-1 | 1.6.dfsg.4~beta1-1 |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
vendor_ubuntu6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2010-04-07·CVSS 6.9
CVE-2007-5901 [MEDIUM] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Kerberos vulnerabilities
Sol Jerome discovered that the Kerberos kadmind service did not correctly
free memory. An unauthenticated remote attacker could send specially
crafted traffic to crash the kadmind process, leading to a denial of
service. (CVE-2010-0629)
It was discovered that Kerberos did not correctly free memory in
the GSSAPI library. If a remote attacker were able to manipulate an
application using GSSAPI carefully, the service could crash, leading to
a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901,
CVE-2007-5971)
It was discovered that Kerberos did not correctly free memory in the
GSSAPI and kdb libraries. If a remote attacker were able to manipulate
an application using these libraries carefully, the service coul
Red Hat
krb5: use-after-free in gssapi lib
vendor_redhat·2007-11-14·CVSS 6.9
CVE-2007-5901 [MEDIUM] CWE-416 krb5: use-after-free in gssapi lib
krb5: use-after-free in gssapi lib
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.
Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5901
The Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw.
Debian
CVE-2007-5901: krb5 - Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/me...
vendor_debian·2007·CVSS 6.9
CVE-2007-5901 [MEDIUM] CVE-2007-5901: krb5 - Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/me...
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.
Scope: local
bookworm: resolved (fixed in 1.6.dfsg.4~beta1-1)
bullseye: resolved (fixed in 1.6.dfsg.4~beta1-1)
forky: resolved (fixed in 1.6.dfsg.4~beta1-1)
sid: resolved (fixed in 1.6.dfsg.4~beta1-1)
trixie: resolved (fixed in 1.6.dfsg.4~beta1-1)
GHSA
GHSA-qxh5-j4mp-pchg: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize
ghsa_unreviewed·2022-05-01
CVE-2007-5901 [MEDIUM] GHSA-qxh5-j4mp-pchg: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.
OSV
CVE-2007-5901: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize
osv·2007-12-06·CVSS 6.9
CVE-2007-5901 [MEDIUM] CVE-2007-5901: Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize
Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.
No detection rules found.
No public exploits indexed.
http://bugs.gentoo.org/show_bug.cgi?id=199214http://docs.info.apple.com/article.html?artnum=307562http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://osvdb.org/43346http://seclists.org/fulldisclosure/2007/Dec/0176.htmlhttp://seclists.org/fulldisclosure/2007/Dec/0321.htmlhttp://secunia.com/advisories/29451http://secunia.com/advisories/29464http://secunia.com/advisories/29516http://secunia.com/advisories/39290http://security.gentoo.org/glsa/glsa-200803-31.xmlhttp://ubuntu.com/usn/usn-924-1http://www.mandriva.com/security/advisories?name=MDVSA-2008:069http://www.redhat.com/support/errata/RHSA-2008-0164.htmlhttp://www.securityfocus.com/bid/26750http://www.vupen.com/english/advisories/2008/0924/referenceshttps://issues.rpath.com/browse/RPL-2012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11451https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00537.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00544.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=199214http://docs.info.apple.com/article.html?artnum=307562http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://osvdb.org/43346http://seclists.org/fulldisclosure/2007/Dec/0176.htmlhttp://seclists.org/fulldisclosure/2007/Dec/0321.htmlhttp://secunia.com/advisories/29451http://secunia.com/advisories/29464http://secunia.com/advisories/29516http://secunia.com/advisories/39290http://security.gentoo.org/glsa/glsa-200803-31.xmlhttp://ubuntu.com/usn/usn-924-1http://www.mandriva.com/security/advisories?name=MDVSA-2008:069http://www.redhat.com/support/errata/RHSA-2008-0164.htmlhttp://www.securityfocus.com/bid/26750http://www.vupen.com/english/advisories/2008/0924/referenceshttps://issues.rpath.com/browse/RPL-2012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11451https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00537.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00544.html
2007-12-06
Published