Vulnerability Details : CVE-2014-4342
MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session.
Vulnerability category: OverflowMemory CorruptionDenial of service
Products affected by CVE-2014-4342
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos:5-1.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos:5-1.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos:5-1.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos:5-1.8:alpha1:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.10:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.11:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.12.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-4342
24.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4342
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-4342
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4342
-
http://advisories.mageia.org/MGASA-2014-0345.html
Mageia Advisory: MGASA-2014-0345 - Updated krb5 package fixes security vulnerabilitiesThird Party Advisory
-
http://www.securityfocus.com/bid/68908
MIT Kerberos 5 GSSAPI Remote Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1030706
MIT Kerberos Multiple Memory Errors Let Remote Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.debian.org/security/2014/dsa-3000
Debian -- Security Information -- DSA-3000-1 krb5Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/94903
MIT Kerberos GSSAPI denial of service CVE-2014-4342 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.mandriva.com/security/advisories?name=MDVSA-2014:165
mandriva.comThird Party Advisory
-
https://github.com/krb5/krb5/commit/e6ae703ae597d798e310368d52b8f38ee11c6a73
Handle invalid RFC 1964 tokens [CVE-2014-4341...] · krb5/krb5@e6ae703 · GitHubPatch;Issue Tracking;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017Patch;Third Party Advisory;VDB Entry
-
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7949
#7949: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]Issue Tracking;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0439.html
RHSA-2015:0439 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to