Vulnerabilities > CVE-2019-25018 - Incorrect Authorization vulnerability in MIT Krb5-Appl

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

mit

CWE-863

NVD

Published: 2021-02-02

Updated: 2021-07-21

Summary

In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could bypass intended access restrictions via the filename of . or an empty filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is modifying the permissions of the target directory on the client side. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Vulnerable Configurations

Part	Description	Count
Application	Mit MIT Krb5 Appl 1.0 MIT Krb5 Appl 1.0.1 MIT Krb5 Appl 1.0.2 MIT Krb5 Appl 1.0.3	5

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://bugzilla.suse.com/show_bug.cgi?id=1131109