CVE-2017-11368

CWE-617 — Reachable Assertion7 documents7 sources

Severity

6.5MEDIUM

EPSS

0.7%

top 28.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Fedora MIT Kerberos MIT Kerberos 5

Timeline

PublishedAug 9

Latest updateMay 13

Description

In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Debiankrb5< 1.15.1-2+3

▶NVDmit/kerberos5-1.13.7

▶NVDmit/kerberos_543 versions+42

Also affects: Fedora 25, 26

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-8f95-9vr9-hxf2: In MIT Kerberos 5 (aka krb5) 1↗2022-05-13

▶

CVEList

CVE-2017-11368: In MIT Kerberos 5 (aka krb5) 1↗2017-08-09

▶

OSV

CVE-2017-11368: In MIT Kerberos 5 (aka krb5) 1↗2017-08-09

▶

📋Vendor Advisories

Red Hat

krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure↗2017-07-13

▶

Debian

CVE-2017-11368: krb5 - In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause ...↗2017

▶

💬Community

Bugzilla

CVE-2017-11368 krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure↗2017-07-21

▶