CVE-2015-2694

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2015-2694 OPENSUSE-SU-2024:10004-1 RHSA-2015:2154 SUSE-SU-2015:1276-1 UBUNTU-CVE-2015-2694 USN-2810-1

Modified

Published: 25 May 2015, 19:00

Last modified:06 Aug 2024, 05:24

Vulnerability Summary

Overall Risk (default)

low

23/100

CVSS Score

5.8 MEDIUM

v2.0 (nvd)

EPSS Score

0.89% LOW

1% probability +0.56%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 May 2015, 19:00

Published

Vulnerability first disclosed

06 Aug 2024, 05:24

Last Modified

Vulnerability information updated

Description

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

CVSS Metrics

v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.89%• Percentile: 76%

Techniques & Countermeasures

CWE-264•Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Affected Systems

mit•kerberos_5
1.12 | 1.12.1 | 1.12.2 | 1.12.3 | 1.13 | 1.13.1