CVE-2024-37371

Updated: 2024-10-11 17:30:01.166681

Description:

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x CRITICAL 9.1

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU krb5 1.20.1 9.1 CRITICAL Released CLSA-2024:1726769331 2024-09-19 14:24:51
CentOS 6 ELS krb5 1.10.3 9.1 CRITICAL Ignored 2024-10-11 17:30:01
CentOS 7 ELS krb5 1.15.1 9.1 CRITICAL Released CLSA-2024:1726840907 2024-10-01 17:32:16
CentOS 8.4 ELS krb5 1.18.2-8.3 9.1 CRITICAL Released CLSA-2024:1726769233 2024-09-19 14:24:50
CentOS 8.5 ELS krb5 1.18.2-14 9.1 CRITICAL Released CLSA-2024:1726769396 2024-09-19 14:24:49
CloudLinux 6 ELS krb5 1.10.3 9.1 CRITICAL Ignored 2024-10-11 17:30:03
CloudLinux 7 ELS krb5 1.15.1 9.1 CRITICAL Released CLSA-2024:1726841437 2024-10-01 17:32:16
Oracle Linux 6 ELS krb5 1.10.3 9.1 CRITICAL Ignored 2024-10-11 17:30:01
Ubuntu 16.04 ELS krb5 1.13.2 9.1 CRITICAL Released CLSA-2024:1727287657 2024-09-25 14:28:27
Ubuntu 18.04 ELS krb5 1.16-2 9.1 CRITICAL Released CLSA-2024:1727288271 2024-09-25 14:28:29

Statement

We have reasoned not to port the fix for this CVE since upstream changes are too intrusive. affecting pkinit, encryption/decryption and tag parsing functionality.