Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9
CVSSv2

CVE-2014-9421

Published: 19/02/2015 Updated: 21/01/2020
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
VMScore: 802
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Subscribe to Mit

Vulnerability Summary

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) up to and including 1.11.5, 1.12.x up to and including 1.12.2, and 1.13.x prior to 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mit kerberos 5 1.11.4

mit kerberos 5 1.11.5

mit kerberos 5 1.11.2

mit kerberos 5 1.11.3

mit kerberos 5 1.11

mit kerberos 5 1.11.1

mit kerberos 5 1.12.2

mit kerberos 5 1.13

mit kerberos 5 1.12

mit kerberos 5 1.12.1

Vendor Advisories

Ubuntu Security Notice: krb5 vulnerabilities
Several security issues were fixed in Kerberos ...
Amazon Linux AMI: ALAS-2015-518
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application (CVE-2014-5352) If kadmind were used with an LDAP b ...
Red Hat: CVE-2014-9421
A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets ...

References

NVD-CWE-Otherhttps://github.com/krb5/krb5/commit/a197e92349a4aa2141b5dff12e9dd44c2a2166e3http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txthttp://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txthttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.htmlhttp://www.debian.org/security/2015/dsa-3153http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0439.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00044.htmlhttp://www.ubuntu.com/usn/USN-2498-1http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:069http://rhn.redhat.com/errata/RHSA-2015-0794.htmlhttp://www.securityfocus.com/bid/72496https://usn.ubuntu.com/2498-1/https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2014-9421
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook