Debian Edu Configuration Flaw in Debian and Debian-LAN Software
CVE-2019-3467

7.8HIGH

Key Information:

Vendor

Debian
Status
Debian Edu
Vendor
CVE Published:
23 December 2019

What is CVE-2019-3467?

A configuration issue in debian-edu-config and debian-lan-config allowed overly permissive access control lists (ACLs) for the Kerberos admin server. This misconfiguration enabled unauthorized password changes for other Kerberos user principals, potentially compromising user accounts and system integrity. All versions of debian-edu-config prior to 2.11.10 and versions of debian-lan-config below 0.26 are affected, highlighting the importance of maintaining secure configurations in educational environments.

Affected Version(s)

Debian Edu all versions < 2.11.10

References

https://lists.debian.org/debian-lts-announce/2019/12/msg0...
mailing-listx_refsource_MLIST
https://seclists.org/bugtraq/2019/Dec/34
mailing-listx_refsource_BUGTRAQ
https://www.debian.org/security/2019/dsa-4589
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.