CVE-2012-1012

First published: Wed Feb 22 2012(Updated: )

It was reported [1] that, within the kadmin protocol, the access controls for get_strings/set_string were insufficient; anyone with global list privileges could get or modify string attributed on any principal. It was also noted that the exposure depends on how generous the kadmind acl was with list permissions and whether or not string attributes were used in deployment (and noting that nothing in the core code uses them yet). This has been fixed upstream [2] and in Fedora [3]. [1] <a href="http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&amp;pass=guest&amp;id=7093">http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&amp;pass=guest&amp;id=7093</a> [2] <a href="http://src.mit.edu/fisheye/changelog/krb5/?cs=25704">http://src.mit.edu/fisheye/changelog/krb5/?cs=25704</a> [3] <a href="http://koji.fedoraproject.org/koji/buildinfo?buildID=300840">http://koji.fedoraproject.org/koji/buildinfo?buildID=300840</a>

Credit: cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• agent/first-publish-date
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/references
• agent/author
• agent/severity
• agent/weakness
• agent/description
• agent/event
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2012-1012
• agent/tags
• agent/trending
• vendor/mit
• canonical/mit kerberos 5
• version/mit kerberos 5/1.10
• version/mit kerberos 5/1.10.1