CVE-2021-36222

Advisory lineage Upstream: 0 Downstream: 22
Modified
Published: 22 Jul 2021, 17:28
Last modified:04 Aug 2024, 00:54

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
6.62% LOW
7% probability -1.40%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

22 Jul 2021, 17:28
Published
Vulnerability first disclosed
04 Aug 2024, 00:54
Last Modified
Vulnerability information updated

Description

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 6.62% Percentile: 91%

Techniques & Countermeasures

  • CWE-476NULL Pointer Dereference

    The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

  • debiandebian_linux

    10.0

  • mitkerberos_5

    < 1.18.4 | ≥ 1.19.0, < 1.19.2

  • netappactive_iq_unified_manager

    na

  • netapponcommand_insight

    na

  • netapponcommand_workflow_automation

    na

  • netappsnapcenter

    na

  • oraclemysql_server

    ≥ 8.0.0, ≤ 8.0.26

References (7)