CVE-2021-36222 - log back

CVE-2021-36222 edited at 22 Jul 2021 21:00:34
Description
- In MIT krb5 releases 1.16 and later before 1.19.2, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.
+ ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.
CVE-2021-36222 edited at 19 Jul 2021 15:42:19
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ In MIT krb5 releases 1.16 and later before 1.19.2, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1983720
+ https://krbdev.mit.edu/rt/Ticket/Display.html?id=9007
+ https://github.com/krb5/krb5/commit/83f701ee212122471f42bdfe3195d5c1c2cdb09d
Notes
CVE-2021-36222 created at 19 Jul 2021 15:39:25