CVE-2014-5353

Severity

35%

Complexity

68%

Confidentiality

48%

CWE-476: NULL Pointer Dereference

The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

CWE-476: NULL Pointer Dereference

CVSS 2.0 Base Score 3.5. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:N/A:P).

Overview

First reported 10 years ago

2014-12-16 23:59:00

Last updated 7 years ago

2018-02-04 02:29:00

Affected Software

MIT Kerberos

References

http://advisories.mageia.org/MGASA-2014-0536.html

FEDORA-2015-5949

openSUSE-SU-2015:0542

RHSA-2015:0439

RHSA-2015:0794

MDVSA-2015:009

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

71679

1031376

USN-2498-1

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226

https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3

Vendor Advisory

[debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.