CVE-2014-5354

MIT Kerberos 1.12.x and 1.13.x < 1.13.1 - Authenticated Denial of Service via Keyless Principal Creation

Title source: llm
STIX 2.1

Description

plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.

References (5)

Core 5
Core References
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-03/msg00061.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71680
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031376
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2498-1

Scores

EPSS 0.0054
EPSS Percentile 67.8%

Details

Status published
Products (4)
mit/kerberos 5_1.13
mit/kerberos_5 1.12
mit/kerberos_5 1.12.1
mit/kerberos_5 1.12.2
Published Dec 16, 2014
Tracked Since Feb 18, 2026