CVE-2014-5355

MIT Kerberos 5 - Denial of Service

Title source: rule

Description

MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.

References (10)

Scores

EPSS 0.0942
EPSS Percentile 92.7%

Classification

Status draft

Affected Products (50)

mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
mit/kerberos_5
... and 35 more

Timeline

Published Feb 20, 2015
Tracked Since Feb 18, 2026