CVE-2022-42898

Name
CVE-2022-42898
Description
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
MISC https://bugzilla.samba.org/show_bug.cgi?id=15203
MISC https://web.mit.edu/kerberos/advisories/
CONFIRM https://www.samba.org/samba/security/CVE-2022-42898.html
CONFIRM https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c
CONFIRM https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt
CONFIRM https://web.mit.edu/kerberos/krb5-1.19/

Match rules

CPE URI Source package Min version Max version

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
krb5 3.16-main 1.19.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
krb5 3.15-main 1.19.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
krb5 3.17-main 1.20.1-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
heimdal 3.16-main 7.7.1-r0 Leonardo Arena <rnalrd@alpinelinux.org> fixed
heimdal 3.15-main 7.7.1-r0 Leonardo Arena <rnalrd@alpinelinux.org> fixed