CVE-2021-36222

CWE-476NULL Pointer Dereference10 documents9 sources
Severity
7.5HIGH
EPSS
6.6%
top 8.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MIT Kerberos 5Oracle Mysql ServerDebian Debian Linux
Timeline
PublishedJul 22
Latest updateMar 16

Description

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDmit/kerberos_51.19.01.19.2+1
Debiankrb5< 1.18.3-6+3
Ubuntukrb5< 1.16-2ubuntu0.4+1
NVDoracle/mysql_server8.0.08.0.26

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: www.oracle.comPatch: github.com

🔴Vulnerability Details

4
OSV
krb5 vulnerabilities2023-03-16
GHSA
GHSA-7gwg-3h62-pwf5: ec_verify in kdc/kdc_preauth_ec2022-05-24
OSV
CVE-2021-36222: ec_verify in kdc/kdc_preauth_ec2021-07-22
CVEList
CVE-2021-36222: ec_verify in kdc/kdc_preauth_ec2021-07-22

📋Vendor Advisories

5
Ubuntu
Kerberos vulnerabilities2023-03-16
Oracle
Oracle Oracle MySQL Risk Matrix: Server: Compiling (Kerberos) — CVE-2021-362222021-10-15
Microsoft
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference a2021-07-13
Red Hat
krb5: Sending a request containing PA-ENCRYPTED-CHALLENGE padata element without using FAST could result in NULL dereference in KDC which leads to DoS2021-07-12
Debian
CVE-2021-36222: krb5 - ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Ke...2021