{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-09-22T00:00:00", "descriptions": [{"lang": "en", "value": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-02T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018"}, {"name": "1031003", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1031003"}, {"name": "FEDORA-2015-2382", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html"}, {"name": "[debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html"}, {"name": "openSUSE-SU-2015:0255", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0477.html"}, {"name": "SUSE-SU-2015:0290", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1145425"}, {"name": "MDVSA-2014:224", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224"}, {"name": "GLSA-201412-53", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-201412-53.xml"}, {"name": "USN-2498-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2498-1"}, {"name": "70380", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/70380"}, {"name": "kerberos-cve20145351-sec-bypass(97028)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca"}, {"name": "FEDORA-2014-11940", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-5351", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", "refsource": "CONFIRM", "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018"}, {"name": "1031003", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031003"}, {"name": "FEDORA-2015-2382", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html"}, {"name": "[debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html"}, {"name": "openSUSE-SU-2015:0255", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html"}, {"name": "http://advisories.mageia.org/MGASA-2014-0477.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0477.html"}, {"name": "SUSE-SU-2015:0290", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1145425"}, {"name": "MDVSA-2014:224", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224"}, {"name": "GLSA-201412-53", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201412-53.xml"}, {"name": "USN-2498-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2498-1"}, {"name": "70380", "refsource": "BID", "url": "http://www.securityfocus.com/bid/70380"}, {"name": "kerberos-cve20145351-sec-bypass(97028)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028"}, {"name": "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", "refsource": "CONFIRM", "url": "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca"}, {"name": "FEDORA-2014-11940", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:41:49.184Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018"}, {"name": "1031003", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1031003"}, {"name": "FEDORA-2015-2382", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html"}, {"name": "[debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html"}, {"name": "openSUSE-SU-2015:0255", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0477.html"}, {"name": "SUSE-SU-2015:0290", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1145425"}, {"name": "MDVSA-2014:224", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224"}, {"name": "GLSA-201412-53", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-201412-53.xml"}, {"name": "USN-2498-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2498-1"}, {"name": "70380", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/70380"}, {"name": "kerberos-cve20145351-sec-bypass(97028)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca"}, {"name": "FEDORA-2014-11940", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-5351", "datePublished": "2014-10-10T01:00:00", "dateReserved": "2014-08-19T00:00:00", "dateUpdated": "2024-08-06T11:41:49.184Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mit:kerberos_5:1.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "9D0A28CB-173D-4676-B083-E3718213B840", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access."}, {"lang": "es", "value": "La funci\u00f3n kadm5_randkey_principal_3 en lib/kadm5/srv/svr_principal.c en kadmind en MIT Kerberos 5 (tambi\u00e9n conocido como krb5) anterior a 1.13 env\u00eda claves viejas en respuesta a una solicitud -randkey -keepold, lo que permite a usuarios remotos autenticados falsificar tickets mediante el aprovechamiento del acceso administrativo."}], "id": "CVE-2014-5351", "lastModified": "2020-01-21T15:46:49.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-10T01:55:11.307", "references": [{"source": "cve@mitre.org", "url": "http://advisories.mageia.org/MGASA-2014-0477.html"}, {"source": "cve@mitre.org", "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html"}, {"source": "cve@mitre.org", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-201412-53.xml"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/70380"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1031003"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2498-1"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1145425"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028"}, {"source": "cve@mitre.org", "url": "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "krb5: current keys returned when randomizing the keys for a service principal", "id": "1145425", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1145425"}, "csaw": false, "cvss": {"cvss_base_score": "2.1", "cvss_scoring_vector": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access."], "name": "CVE-2014-5351", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2014-08-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-5351\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-5351"], "statement": "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Moderate", "upstream_fix": "krb5 1.13"}