CVE-2024-37371

CWE-125Out-of-bounds Read12 documents9 sources
Severity
9.1CRITICAL
EPSS
2.6%
top 14.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MIT Kerberos 5Debian Debian Linux
Timeline
PublishedJun 28
Latest updateOct 15

Description

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDmit/kerberos_5< 1.21.3
Debiankrb5< 1.18.3-6+deb11u5+3
Ubuntukrb5< 1.17-6ubuntu4.6+5

Also affects: Debian Linux 11.0, 12.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
krb5 vulnerabilities2024-08-08
GHSA
GHSA-8wpj-v5qv-3wf4: In MIT Kerberos 5 (aka krb5) before 12024-06-29
OSV
CVE-2024-37371: In MIT Kerberos 5 (aka krb5) before 12024-06-28
CVEList
CVE-2024-37371: In MIT Kerberos 5 (aka krb5) before 12024-06-28

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Kerberos) — CVE-2024-373712025-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Platform (Kerberos) — CVE-2024-373712025-01-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Kerberos) — CVE-2024-373712024-10-15
Ubuntu
Kerberos vulnerabilities2024-08-08
Red Hat
krb5: GSS message token handling2024-06-27