CVE-2014-5351Sensitive Information Exposure in Kerberos 5

CWE-255CWE-200Sensitive Information Exposure10 documents8 sources
Severity
2.1LOWNVD
EPSS
0.3%
top 42.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MIT Krb5MIT Kerberos 5
Timeline
PublishedOct 10
Latest updateMay 13

Description

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

Debianmit/krb5< 1.12.1+dfsg-10+3
Ubuntumit/krb5< 1.12+dfsg-2ubuntu5.1
NVDmit/kerberos_51.12.2

🔴Vulnerability Details

4
GHSA
GHSA-j87f-3fmr-m923: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal2022-05-13
OSV
krb5 vulnerabilities2015-02-10
CVEList
CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal2014-10-10
OSV
CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal2014-10-10

📋Vendor Advisories

3
Ubuntu
Kerberos vulnerabilities2015-02-10
Red Hat
krb5: current keys returned when randomizing the keys for a service principal2014-08-21
Debian
CVE-2014-5351: krb5 - The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmi...2014

💬Community

2
Bugzilla
CVE-2014-5351 krb5: current keys returned when randomizing the keys for a service principal2014-09-23
Bugzilla
CVE-2014-5351 krb5: current keys returned when randomizing the keys for a service principal [fedora-all]2014-09-23
CVE-2014-5351 — Sensitive Information Exposure | cvebase