CVE-2017-11462
Published: 13 September 2017
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.
From the Ubuntu Security Team
It was discovered that Kerberos incorrectly handled deletion of security contexts. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
krb5 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(1.15.2-1)
|
|
| cosmic |
Not vulnerable
(1.15.2-1)
|
|
| disco |
Not vulnerable
(1.15.2-1)
|
|
| eoan |
Not vulnerable
(1.15.2-1)
|
|
| focal |
Not vulnerable
(1.15.2-1)
|
|
| groovy |
Not vulnerable
(1.15.2-1)
|
|
| trusty |
Released
(1.12+dfsg-2ubuntu5.4)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.13.2+dfsg-5ubuntu2.1)
|
|
| zesty |
Ignored
(end of life)
|
|
| hirsute |
Not vulnerable
(1.15.2-1)
|
|
|
Patches: upstream: https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |