CVE-2015-8629

 

Published at: - 13-02-2016 03:59

Last modified: - 19-10-2022 04:59

Total changes: - 3

Description

The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb
• http://krbdev.mit.edu/rt/Ticket/Display.html?id=8341
• http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
• http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
• 82801-Third Party Advisory, VDB Entry
• RHSA-2016:0532-Third Party Advisory
• RHSA-2016:0493-Third Party Advisory
• 1034914-Third Party Advisory, VDB Entry
• openSUSE-SU-2016:0501-Mailing List, Third Party Advisory
• DSA-3466-Third Party Advisory
• openSUSE-SU-2016:0406-Mailing List, Third Party Advisory

 

Keywords

NVD

 

CVE-2015-8629

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures