What is CVE-2019-25017?

CVE-2019-25017 is a vulnerability in the rcp implementation in MIT krb5-appl through version 1.0.3.

What is the severity of CVE-2019-25017?

The severity of CVE-2019-25017 is medium, with a severity value of 5.9.

How does CVE-2019-25017 affect MIT krb5-appl?

CVE-2019-25017 affects MIT krb5-appl versions up to and including 1.0.3.

What is the CWE classification for CVE-2019-25017?

CVE-2019-25017 is classified under CWE-863.

Is there a fix available for CVE-2019-25017?

Yes, a fix is available for CVE-2019-25017. It is recommended to update to a version of MIT krb5-appl that is not affected by the vulnerability.

Vulnerability/
CVE-2019-25017

medium

5.9

CWE

863

2/2/2021

5/8/2024

CVE-2019-25017

First published: Tue Feb 02 2021(Updated: )

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
MIT krb5-appl	<=1.0.3

Never miss a vulnerability like this again

Reference Links

https://bugzilla.suse.com/show_bug.cgi?id=1131109

Frequently Asked Questions

What is CVE-2019-25017?
CVE-2019-25017 is a vulnerability in the rcp implementation in MIT krb5-appl through version 1.0.3.
What is the severity of CVE-2019-25017?
The severity of CVE-2019-25017 is medium, with a severity value of 5.9.
How does CVE-2019-25017 affect MIT krb5-appl?
CVE-2019-25017 affects MIT krb5-appl versions up to and including 1.0.3.
What is the CWE classification for CVE-2019-25017?
CVE-2019-25017 is classified under CWE-863.
Is there a fix available for CVE-2019-25017?
Yes, a fix is available for CVE-2019-25017. It is recommended to update to a version of MIT krb5-appl that is not affected by the vulnerability.

collector/nvd-index
agent/severity
agent/author
agent/references
agent/weakness
agent/tags
agent/type
agent/event
agent/description
agent/first-publish-date
agent/softwarecombine
agent/last-modified-date
collector/mitre-cve
source/MITRE
vendor/mit
canonical/mit krb5-appl
version/mit krb5-appl/1.0.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.