Vulnerability Description
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mit | Kerberos 5 | < 1.17.2 |
| Fedoraproject | Fedora | 31 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Cloud Backup | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Snapcenter | - |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Offline Mediation Controller | 12.0.0.3.0 |
| Oracle | Communications Pricing Design Center | 12.0.0.3.0 |
| Oracle | Mysql Server | <= 8.0.23 |
Related Weaknesses (CWE)
References
- https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfdPatchThird Party Advisory
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e3
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8
- https://lists.debian.org/debian-lts-announce/2020/11/msg00011.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202011-17Third Party Advisory
- https://security.netapp.com/advisory/ntap-20201202-0001/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210513-0002/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4795Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfdPatchThird Party Advisory
FAQ
What is CVE-2020-28196?
CVE-2020-28196 is a vulnerability with a CVSS score of 7.5 (HIGH). MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite le...
How severe is CVE-2020-28196?
CVE-2020-28196 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28196?
Check the references section above for vendor advisories and patch information. Affected products include: Mit Kerberos 5, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Cloud Backup, Netapp Oncommand Insight.