CVE-2024-37370 — Insufficient Verification of Data Authenticity in Kerberos 5

CWE-345 — Insufficient Verification of Data Authenticity9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MIT Krb5 MIT Kerberos 5

Timeline

PublishedJun 28

Latest updateAug 8

Description

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debianmit/krb5< 1.18.3-6+deb11u5+3

▶Ubuntumit/krb5< 1.17-6ubuntu4.6+5

▶NVDmit/kerberos_5< 1.21.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

krb5 vulnerabilities↗2024-08-08

▶

GHSA

GHSA-wvrw-2fv8-cjvx: In MIT Kerberos 5 (aka krb5) before 1↗2024-06-29

▶

OSV

CVE-2024-37370: In MIT Kerberos 5 (aka krb5) before 1↗2024-06-28

▶

CVEList

CVE-2024-37370: In MIT Kerberos 5 (aka krb5) before 1↗2024-06-28

▶

📋Vendor Advisories

Ubuntu

Kerberos vulnerabilities↗2024-08-08

▶

Red Hat

krb5: GSS message token handling↗2024-06-27

▶

Microsoft

In MIT Kerberos 5 (aka krb5) before 1.21.3 an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token causing the unwrapped token to appear truncated to the applicati↗2024-06-11

▶

Debian

CVE-2024-37370: krb5 - In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext...↗2024

▶