CVE-2019-12098

Published: 15 May 2019

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

Priority

Low

CVSS 3 base score: 7.4

Status

Package Release Status
heimdal
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(7.5.0+dfsg-3build1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(7.5.0+dfsg-3build1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(7.5.0+dfsg-3build1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf