Vulnerability Description
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mit | Kerberos 5 | 1.14 |
Related Weaknesses (CWE)
References
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=8273Vendor Advisory
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00116.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00124.html
- http://www.ubuntu.com/usn/USN-2810-1
- https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=8273Vendor Advisory
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00116.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00124.html
- http://www.ubuntu.com/usn/USN-2810-1
- https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
FAQ
What is CVE-2015-2698?
CVE-2015-2698 is a vulnerability with a CVSS score of 8.5 (HIGH). The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated...
How severe is CVE-2015-2698?
CVE-2015-2698 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2698?
Check the references section above for vendor advisories and patch information. Affected products include: Mit Kerberos 5.