CVE-2022-42898
CVSS V2 None
CVSS V3 None
Description
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
Overview
- CVE ID
- CVE-2022-42898
- Assigner
- cve@mitre.org
- Vulnerability Status
- Modified
- Published Version
- 2022-12-25T06:15:09
- Last Modified Date
- 2023-02-23T19:15:11
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:* | 1 | OR | 1.8 | 1.19.4 |
| cpe:2.3:a:mit:kerberos_5:1.20:-:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:mit:kerberos_5:1.20:beta1:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:heimdal_project:heimdal:*:*:*:*:*:*:*:* | 1 | OR | 7.7.1 | |
| cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* | 1 | OR | 4.15.12 | |
| cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* | 1 | OR | 4.16.0 | 4.16.7 |
| cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* | 1 | OR | 4.17.0 | 4.17.3 |
References
| Reference URL | Reference Tags |
|---|---|
| https://bugzilla.samba.org/show_bug.cgi?id=15203 | Exploit Issue Tracking Patch Third Party Advisory |
| https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c | Third Party Advisory |
| https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 | Patch Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20230216-0008/ | |
| https://security.netapp.com/advisory/ntap-20230223-0001/ | |
| https://web.mit.edu/kerberos/advisories/ | Vendor Advisory |
| https://web.mit.edu/kerberos/krb5-1.19/ | Release Notes Vendor Advisory |
| https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt | Vendor Advisory |
| https://www.samba.org/samba/security/CVE-2022-42898.html | Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-42898 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-25 06:16:19 | Added to TrackCVE | |||
| 2022-12-27 14:15:40 | 2022-12-27T13:48:11 | CVE Modified Date | updated | |
| 2022-12-27 14:15:40 | Received | Awaiting Analysis | Vulnerability Status | updated |
| 2023-01-03 13:13:39 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
| 2023-01-05 21:16:30 | 2023-01-05T20:28:07 | CVE Modified Date | updated | |
| 2023-01-05 21:16:30 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
| 2023-01-05 21:16:31 | Weakness Enumeration | new | ||
| 2023-01-05 21:16:32 | CPE Information | updated | ||
| 2023-02-16 15:13:43 | 2023-02-16T14:15:16 | CVE Modified Date | updated | |
| 2023-02-16 15:13:43 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-16 15:13:44 | References | updated | ||
| 2023-02-23 21:15:16 | 2023-02-23T19:15:11 | CVE Modified Date | updated | |
| 2023-02-23 21:15:17 | References | updated |