CVE-2023-36054

CVE	CVE-2023-36054
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-08-07 19:15:00 UTC
Updated	2023-11-15 03:23:00 UTC
Description	lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Problem Types: CWE-824

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Application	Mit	Kerberos 5	All	All	All	All
Application	Mit	Kerberos 5	1.21	-	All	All
Application	Mit	Kerberos 5	1.21	beta1	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Clustered Data Ontap	9.0	-	All	All
Application	Netapp	Hci	-	All	All	All
Application	Netapp	Management Services For Element Software	-	All	All	All
Application	Netapp	Ontap Tools	-	All	All	All

Reference	Source	Link	Tags
CVE-2023-36054 MIT Kerberos 5 Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Comparing krb5-1.21-final...krb5-1.21.1-final · krb5/krb5 · GitHub	MISC	github.com
Comparing krb5-1.20.1-final...krb5-1.20.2-final · krb5/krb5 · GitHub	MISC	github.com
Ensure array count consistency in kadm5 RPC · krb5/krb5@ef08b09 · GitHub	CONFIRM	github.com
[SECURITY] [DLA 3626-1] krb5 security update	MLIST	lists.debian.org
Kerberos Security Advisories	MISC	web.mit.edu
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

161117 Oracle Enterprise Linux Security Update for krb5 (ELSA-2023-6699)
199884 Ubuntu Security Notification for Kerberos Vulnerability (USN-6467-1)
199891 Ubuntu Security Notification for Kerberos Vulnerability (USN-6467-2)
242312 Red Hat Update for krb5 (RHSA-2023:6699)
296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
356343 Amazon Linux Security Advisory for krb5 : AL2012-2023-446
6000274 Debian Security Update for krb5 (DLA 3626-1)
673391 EulerOS Security Update for krb5 (EulerOS-SA-2023-2899)
673639 EulerOS Security Update for krb5 (EulerOS-SA-2023-3034)
673674 EulerOS Security Update for krb5 (EulerOS-SA-2023-3131)
673751 EulerOS Security Update for krb5 (EulerOS-SA-2023-3011)
673802 EulerOS Security Update for krb5 (EulerOS-SA-2024-1145)
673946 EulerOS Security Update for krb5 (EulerOS-SA-2023-2880)
673998 EulerOS Security Update for krb5 (EulerOS-SA-2023-3183)
674066 EulerOS Security Update for krb5 (EulerOS-SA-2023-3218)
754289 SUSE Enterprise Linux Security Update for krb5 (SUSE-SU-2023:3365-1)
941349 AlmaLinux Security Update for krb5 (ALSA-2023:6699)