CVE-2020-28196
published 2020-11-06CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.18.3-1 (bookworm) | krb5 1.18.3-1 (bookworm) |
| fedoraproject | fedora | — | — |
| mit | kerberos_5 | < 1.17.2 | 1.17.2 |
| mit | kerberos_5 | >= 1.18.0 < 1.18.3 | 1.18.3 |
| mit | krb5 | >= 0 < 1.18.3-1 | 1.18.3-1 |
| mit | krb5 | >= 0 < 1.18.3-1 | 1.18.3-1 |
| mit | krb5 | >= 0 < 1.18.3-1 | 1.18.3-1 |
| mit | krb5 | >= 0 < 1.18.3-1 | 1.18.3-1 |
| msrc | cm1_krb5_1.18.4-1_on_cbl_mariner_1.0 | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | communications_offline_mediation_controller | — | — |
| oracle | communications_pricing_design_center | — | — |
| oracle | mysql_server | <= 8.0.23 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH