CVE-2014-5353 — NULL Pointer Dereference in Kerberos 5
Severity
3.5LOWNVD
EPSS
0.7%
top 29.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 16
Latest updateMay 13
Description
The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.
CVSS vector
AV:N/AC:M/C:N/I:N/A:PExploitability: 6.8 | Impact: 2.9
Affected Packages7 packages
Also affects: Debian Linux 7.0, Fedora 22, Ubuntu Linux 10.04, 12.04, 14.04, 14.10, Enterprise Linux 6.6, 7.3, 7.4, 7.5, 7.6, 7.7
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-x6p8-9r6f-f728: The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy↗2022-05-13
OSV▶
CVE-2014-5353: The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy↗2014-12-16
CVEList▶
CVE-2014-5353: The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy↗2014-12-16