Vulnerabilities > CVE-2019-25018 - Unspecified vulnerability in MIT Krb5-Appl

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

mit

NVD

Published: 2021-02-02

Updated: 2021-07-21

Summary

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Vulnerable Configurations

Part	Description	Count
Application	Mit MIT Krb5 Appl 1.0 MIT Krb5 Appl 1.0.1 MIT Krb5 Appl 1.0.2 MIT Krb5 Appl 1.0.3	5

References

https://bugzilla.suse.com/show_bug.cgi?id=1131109