CVE-2014-9422

CVSS V2 Medium 6.1 CVSS V3 None
Description
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
Overview
  • CVE ID
  • CVE-2014-9422
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2015-02-19T11:59:06
  • Last Modified Date
  • 2020-01-21T15:46:57
Weakness Enumerations
CWE URL
CWE-284 http://cwe.mitre.org/data/definitions/284.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mit:kerberos_5:1.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.11.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.11.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.11.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.11.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.11.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.12.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.12.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mit:kerberos_5:1.13:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:H/Au:S/C:P/I:P/A:C
  • Access Vector
  • NETWORK
  • Access Compatibility
  • HIGH
  • Authentication
  • SINGLE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • COMPLETE
  • Base Score
  • 6.1
  • Severity
  • MEDIUM
  • Exploitability Score
  • 3.9
  • Impact Score
  • 8.5
References
Reference URL Reference Tags
https://github.com/krb5/krb5/commit/6609658db0799053fbef0d7d0aa2f1fd68ef32d8
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt Vendor Advisory
http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html
http://www.debian.org/security/2015/dsa-3153
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html
http://rhn.redhat.com/errata/RHSA-2015-0439.html
http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html
http://www.ubuntu.com/usn/USN-2498-1
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:069
http://rhn.redhat.com/errata/RHSA-2015-0794.html
http://www.securityfocus.com/bid/72494
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2014-9422
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422
History
Created Old Value New Value Data Type Notes
2022-05-10 16:53:01 Added to TrackCVE
2022-12-02 03:38:49 2015-02-19T11:59Z 2015-02-19T11:59:06 CVE Published Date updated
2022-12-02 03:38:49 2020-01-21T15:46:57 CVE Modified Date updated
2022-12-02 03:38:49 Modified Vulnerability Status updated