Your submission was sent successfully! Close

CVE-2021-37750

Published: 23 August 2021

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
krb5
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

hirsute Ignored
(reached end-of-life)
impish Needed

jammy Not vulnerable
(1.19.2-2)
trusty Not vulnerable
(code not present)
upstream
Released (1.19.3, 1.18.3-7)
xenial Not vulnerable
(code not present)

Notes

AuthorNote
ccdm94
this vulnerability was introduced by commit 39548a5, as
established by upstream. Prior to this commit, an error
would occur instead of the null deference. In the patch
notes, the CVE is described as affecting releases 1.14
and later only (meaning that xenial and trusty are not
affected by this).

References

Bugs