The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x prior to 1.13.2 do not properly track whether a client's request has been validated, which allows remote malicious users to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mit kerberos 5 1.13.1 |
||
mit kerberos 5 1.12.1 |
||
mit kerberos 5 1.12.2 |
||
mit kerberos 5 1.12.3 |
||
mit kerberos 5 1.13 |
||
mit kerberos 5 1.12 |