CVE-2010-1322 — Improper Input Validation in Kerberos 5

CWE-20 — Improper Input Validation8 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

1.5%

top 19.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MIT Krb5 MIT Kerberos 5

Timeline

PublishedOct 7

Latest updateMay 2

Description

The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointer dereference, as demonstrated by a request from a Windows Active Directory client…

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶Debianmit/krb5< 1.8.3+dfsg-2+3

▶NVDmit/kerberos_54 versions+3

Patches

Patch: web.mit.edu ↗Patch: www.securityfocus.com ↗Patch: web.mit.edu ↗

🔴Vulnerability Details

GHSA

GHSA-x582-whcx-rpqp: The merge_authdata function in kdc_authdata↗2022-05-02

▶

OSV

CVE-2010-1322: The merge_authdata function in kdc_authdata↗2010-10-07

▶

CVEList

CVE-2010-1322: The merge_authdata function in kdc_authdata↗2010-10-07

▶

📋Vendor Advisories

Red Hat

krb5: KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)↗2010-10-05

▶

Ubuntu

Kerberos vulnerability↗2010-10-05

▶

Debian

CVE-2010-1322: krb5 - The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KD...↗2010

▶

💬Community

Bugzilla

CVE-2010-1322 krb5: KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)↗2010-09-21

▶