CVE-2020-17049
MEDIUMWindows Server 2012, 2016, 2019 and Samba 4.1.0-4.13.12 - Security Feature Bypass in Kerberos Constrained Delegation
Title source: llmDescription
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2021/11/10/3
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202309-06
Patch, Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049
Scores
CVSS v3
6.6
EPSS
0.2555
EPSS Percentile
96.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (9)
microsoft/windows_server_2012
microsoft/windows_server_2012
r2
microsoft/windows_server_2016
microsoft/windows_server_2016
20h2
microsoft/windows_server_2016
1903
microsoft/windows_server_2016
1909
microsoft/windows_server_2016
2004
microsoft/windows_server_2019
samba/samba
4.1.0 - 4.13.13
Published
Nov 11, 2020
Tracked Since
Feb 18, 2026