CVE-2017-7562

CWE-287 — Improper Authentication CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 37.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MIT Kerberos 5 MIT Krb5 Redhat Enterprise Linux +3 more

Timeline

PublishedJul 26

Latest updateMay 13

Description

An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5mit/krb51.16.1

▶NVDmit/kerberos_51.0 — 1.16.1

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Enterprise Linux 7.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-vg8p-42hp-9g25: An authentication bypass flaw was found in the way krb5's certauth interface before 1↗2022-05-13

▶

CVEList

CVE-2017-7562: An authentication bypass flaw was found in the way krb5's certauth interface before 1↗2018-07-26

▶

📋Vendor Advisories

Red Hat

krb5: Authentication bypass by improper validation of certificate EKU and SAN↗2017-08-25

▶

Debian

CVE-2017-7562: krb5 - An authentication bypass flaw was found in the way krb5's certauth interface bef...↗2017

▶

💬Community

Bugzilla

CVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN↗2017-08-25

▶