CVE-2015-2697 - OpenCVE

The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\0' character in a long realm field within a TGS request.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Mit	Kerberos 5
Opensuse	Leap Opensuse
Oracle	Solaris
Suse	Linux Enterprise Desktop Linux Enterprise Server Linux Enterprise Software Development Kit

Configuration 1 [-]

cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:15.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:opensuse:leap:42.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
	cpe:2.3:o:suse:linux_enterprise_desktop:12:-::::::
	cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
	cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-::::::

No data.

References

Link	Providers
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8252
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00022.html
http://www.debian.org/security/2015/dsa-3395
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/77581
http://www.securitytracker.com/id/1034084
http://www.ubuntu.com/usn/USN-2810-1
https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789
https://nvd.nist.gov/vuln/detail/CVE-2015-2697
https://security.gentoo.org/glsa/201611-14
https://www.cve.org/CVERecord?id=CVE-2015-2697

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-11-09T02:00:00

Updated: 2024-08-06T05:24:38.817Z

Reserved: 2015-03-24T00:00:00

Link: CVE-2015-2697

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-11-09T03:59:03.343

Modified: 2021-02-02T19:06:45.520

Link: CVE-2015-2697

Redhat

Severity : Moderate

Publid Date: 2015-09-25T00:00:00Z

Links: CVE-2015-2697 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object