CVE-2011-1526 — Improper Privilege Management in Krb5-appl

CWE-269 — Improper Privilege Management7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 44.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7

MIT Krb5-appl Debian Linux Fedoraproject Fedora +4 more

Timeline

PublishedJul 11

Latest updateMay 13

Description

ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages5 packages

▶NVDmit/krb5-appl< 1.0.1

▶NVDopensuse/opensuse11.3, 11.4+1

▶NVDsuse/linux_enterprise_server10, 11+1

▶NVDsuse/linux_enterprise_desktop10, 11+1

▶NVDsuse/linux_enterprise_software_development_kit10, 11+1

Also affects: Debian Linux 5.0, 6.0, Fedora 14, 15

Patches

Patch: web.mit.edu ↗Patch: www.securityfocus.com ↗Patch: web.mit.edu ↗

🔴Vulnerability Details

2

GHSA

GHSA-qc9v-p4hp-c5fh: ftpd↗2022-05-13

▶

CVEList

CVE-2011-1526: ftpd↗2011-07-11

▶

📋Vendor Advisories

1

Red Hat

krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)↗2011-07-05

▶

💬Community

3

Bugzilla

CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005) [fedora-all]↗2011-07-05

▶

Bugzilla

CVE-2009-5064 glibc: ldd unexpected code execution issue [rhel-6.2]↗2011-06-14

▶

Bugzilla

CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)↗2011-06-07

▶

CVE-2011-1526 — Improper Privilege Management | cvebase