Token Manipulation Vulnerability in MIT Kerberos 5 Product
CVE-2024-37370

7.5HIGH

Key Information:

Vendor: Mit
Status: Kerberos 5
Vendor: CVE Published:; 28 June 2024

What is CVE-2024-37370?

The vulnerability in MIT Kerberos 5 enables an attacker to manipulate the Extra Count field in a confidential GSS krb5 wrap token. By modifying this field, the attacker can cause the application to interpret the unwrapped token as truncated. This manipulation poses significant risks as it can lead to unauthorized access or data integrity issues. It is crucial for organizations using affected versions of Kerberos 5 to implement appropriate security measures and apply the latest updates to mitigate potential exploitation.

References

https://web.mit.edu/kerberos/www/advisories/

https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd810...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2024
Vulnerability Reserved
Jun 6, 2024

CVE-2024-37370 Data

JSON

Mit

What is CVE-2024-37370?

References

CVSS V3.1

Timeline