CVE-2020-13110 — Uncontrolled Search Path Element in Project Kerberos

CWE-427 — Uncontrolled Search Path Element CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 79.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kerberos Project Kerberos MIT Kerberos

Timeline

PublishedMay 16

Latest updateJul 13

Description

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because of a DLL path search.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶npmmit/kerberos< 1.0.0

▶NVDkerberos_project/kerberos< 1.0.0

🔴Vulnerability Details

OSV

DLL Injection in kerberos↗2020-09-04

▶

GHSA

DLL Injection in kerberos↗2020-09-04

▶

CVEList

CVE-2020-13110: The kerberos package before 1↗2020-05-16

▶

📋Vendor Advisories

Red Hat

exiv2: integer buffer overflow in getUShort fucntion leads to DoS↗2021-07-13

▶