Published: 06/11/2020 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

MIT Kerberos 5 (aka krb5) prior to 1.17.2 and 1.18.x prior to 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mit kerberos 5
fedoraproject fedora 31
netapp cloud backup -
netapp snapcenter -
netapp oncommand workflow automation -
netapp oncommand insight -
netapp active iq unified manager -
oracle communications offline mediation controller 12.0.0.3.0
oracle mysql server
oracle communications pricing design center 12.0.0.3.0
oracle communications cloud native core policy 1.14.0

Debian Bug report logs - #973880 krb5: CVE-2020-28196 Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 6 Nov 2020 13:09:01 UTC Severity: important Tags: security, upstream Found in versions krb5/117-3, krb5/117-10 Fix ...

Demi Obeneour discovered that unbounded recursion in the ASN1 parser of libkrb5 could result in denial of service For the stable distribution (buster), this problem has been fixed in version 117-3+deb10u1 We recommend that you upgrade your krb5 packages For the detailed security status of krb5 please refer to its security tracker page at: https ...

A flaw was found in krb5 MIT Kerberos 5 allows unbounded recursion via an ASN1-encoded Kerberos message because the lib/krb5/asn1/asn1_encodec support for BER indefinite lengths lacks a recursion limit (CVE-2020-28196) ...

Critical Infrastructure Sectors: Critical Manufacturing

CWE-674 https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html https://security.gentoo.org/glsa/202011-17 https://www.debian.org/security/2020/dsa-4795 https://security.netapp.com/advisory/ntap-20201202-0001/https://security.netapp.com/advisory/ntap-20210513-0002/https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973880 https://nvd.nist.gov https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10 https://www.debian.org/security/2020/dsa-4795

CVE-2020-28196

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect