CVE-2021-37750
Publication date 23 August 2021
Last updated 24 July 2024
Ubuntu priority
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| krb5 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 1.17-6ubuntu4.3
|
|
| 18.04 LTS bionic |
Fixed 1.16-2ubuntu0.4
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
ccdm94
this vulnerability was introduced by commit 39548a5, as established by upstream. Prior to this commit, an error would occur instead of the null deference. In the patch notes, the CVE is described as affecting releases 1.14 and later only (meaning that xenial and trusty are not affected by this).
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5959-1
- Kerberos vulnerabilities
- 16 March 2023