MitCVEs & Vulnerabilities

157 CVEs affecting Mit products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

kerberos 5 758kerberos 45krb5-appl 4mit kerberos 3scratch-svg-renderer 3cgiemail 2pgp public key server 2kerberos ftp client 1
CVE-2007-5901MEDIUM

Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.

6 Dec 2007
6.9
CVSS
CVE-2007-5902CRITICAL

Integer overflow in the svcauth_gss_get_principal function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (krb5) allows remote attackers to have an unknown impact via a large length value for a GSS client name in an RPC request.

6 Dec 2007
10.0
CVSS
CVE-2007-5971MEDIUM

Double free vulnerability in the gss_krb5int_make_seal_token_v3 function in lib/gssapi/krb5/k5sealv3.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors.

6 Dec 2007
6.9
CVSS
CVE-2007-5972CRITICAL

Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and so the attacker must have privileges to store this key.

6 Dec 2007
9.0
CVSS
CVE-2007-4743CRITICAL

The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.

7 Sep 2007
10.0
CVSS
CVE-2007-3999CRITICAL

Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.

5 Sep 2007
10.0
CVSS
CVE-2007-4000HIGH

The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.

5 Sep 2007
8.5
CVSS
CVE-2007-2442CRITICAL

The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.

27 Jun 2007
10.0
CVSS
CVE-2007-2443HIGH

Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.

27 Jun 2007
8.3
CVSS
CVE-2007-2798CRITICAL

Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.

27 Jun 2007
9.0
CVSS
CVE-2007-3149HIGH

sudo, when linked with MIT Kerberos 5 (krb5), does not properly check whether a user can currently authenticate to Kerberos, which allows local users to gain privileges, in a manner unintended by the sudo security model, via certain KRB5_ environment variable settings. NOTE: another researcher disputes this vulnerability, stating that the attacker must be "a user, who can already log into your system, and can already use sudo."

11 Jun 2007
7.2
CVSS
CVE-2007-0956CRITICAL

The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.

6 Apr 2007
10.0
CVSS
CVE-2007-0957CRITICAL

Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.

6 Apr 2007
9.0
CVSS
CVE-2007-1216CRITICAL

Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".

6 Apr 2007
9.0
CVSS
CVE-2006-6143CRITICAL

The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

31 Dec 2006
9.3
CVSS
CVE-2006-6144MEDIUM

The "mechglue" abstraction interface of the GSS-API library for Kerberos 5 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, allows remote attackers to cause a denial of service (crash) via unspecified vectors that cause mechglue to free uninitialized pointers.

31 Dec 2006
5.0
CVSS
CVE-2006-3083HIGH

The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which allows local users to gain privileges by causing setuid to fail to drop privileges using attacks such as resource exhaustion.

9 Aug 2006
7.2
CVSS
CVE-2006-3084HIGH

The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known whether an exploitable attack scenario exists for these issues.

9 Aug 2006
7.2
CVSS
CVE-2005-1174MEDIUM

MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.

18 Jul 2005
5.0
CVSS
CVE-2005-1175HIGH

Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.

18 Jul 2005
7.5
CVSS
CVE-2005-1689CRITICAL

Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.

18 Jul 2005
9.8
CVSS
CVE-2005-0488MEDIUM

Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.

14 Jun 2005
5.0
CVSS
CVE-2004-0971LOW

The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.

9 Feb 2005
2.1
CVSS
CVE-2004-1189HIGH

The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.

31 Dec 2004
7.2
CVSS
CVE-2004-0772CRITICAL

Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.

20 Oct 2004
9.8
CVSS
CVE-2004-0642HIGH

Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.

28 Sep 2004
7.5
CVSS
CVE-2004-0643MEDIUM

Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.

28 Sep 2004
4.6
CVSS
CVE-2004-0644MEDIUM

The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.

28 Sep 2004
5.0
CVSS
CVE-2004-0523CRITICAL

Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.

18 Aug 2004
10.0
CVSS
CVE-2002-1575MEDIUM

cgiemail allows remote attackers to use cgiemail as a spam proxy via CRLF injection of encoded newline (%0a) characters in parameters such as "required-subject," which can be used to modify the CC, BCC, and other header fields in the generated email message.

3 Mar 2004
5.0
CVSS
CVE-2003-0072MEDIUM

The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun").

2 Apr 2003
5.0
CVSS
CVE-2003-0082MEDIUM

The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").

2 Apr 2003
5.0
CVSS
CVE-2003-0028HIGH

Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.

25 Mar 2003
7.5
CVSS
CVE-2003-0138HIGH

Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack.

24 Mar 2003
7.5
CVSS
CVE-2003-0139HIGH

Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."

24 Mar 2003
7.5
CVSS
CVE-2002-0036MEDIUM

Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value.

19 Feb 2003
5.0
CVSS
CVE-2003-0041CRITICAL

Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.

19 Feb 2003
10.0
CVSS
CVE-2003-0058MEDIUM

MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.

19 Feb 2003
5.0
CVSS
CVE-2003-0059HIGH

Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys.

19 Feb 2003
7.5
CVSS
CVE-2003-0060HIGH

Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names.

19 Feb 2003
7.5
CVSS
CVE-2002-1652HIGHpoc

Buffer overflow in cgicso.c for cgiemail 1.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long query parameter.

31 Dec 2002
7.5
CVSS
CVE-2002-1235CRITICAL

The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack.

4 Nov 2002
10.0
CVSS
CVE-2002-0900HIGHpoc

Buffer overflow in pks PGP public key web server before 0.9.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long search argument to the lookup capability.

4 Oct 2002
7.5
CVSS
CVE-2001-0554CRITICALpoc

Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.

14 Aug 2001
10.0
CVSS
CVE-2001-0417LOW

Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files.

27 Jun 2001
2.1
CVSS
CVE-2001-0247CRITICALpoc

Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.

18 Jun 2001
10.0
CVSS
CVE-2001-1323HIGH

Buffer overflow in MIT Kerberos 5 (krb5) 1.2.2 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via base-64 encoded data, which is not properly handled when the radix_encode function processes file glob output from the ftpglob function.

16 May 2001
7.5
CVSS
CVE-2000-0514CRITICAL

GSSFTP FTP daemon in Kerberos 5 1.1.x does not properly restrict access to some FTP commands, which allows remote attackers to cause a denial of service, and local users to gain root privileges.

14 Jun 2000
10.0
CVSS