CVE-2012-1012

server/server_stubs.c in the kadmin protocol implementation in MIT Kerberos 5 (aka krb5) 1.10 before 1.10.1 does not properly restrict access to (1) SET_STRING and (2) GET_STRINGS operations, which might allow remote authenticated administrators to modify or read string attributes by leveraging the global list privilege.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
mitkerberos_5
1.10
mitkerberos_5
1.10.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
krb5
bullseye
1.18.3-6+deb11u5
fixed
bullseye (security)
1.18.3-6+deb11u5
fixed
squeeze
not-affected
bookworm
1.20.1-2+deb12u2
fixed
bookworm (security)
1.20.1-2+deb12u2
fixed
sid
1.21.3-3
fixed
trixie
1.21.3-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
krb5
precise
Fixed 1.10+dfsg~beta1-2ubuntu0.3
released
oneiric
not-affected
natty
not-affected
lucid
not-affected
hardy
not-affected
Common Weakness Enumeration
References
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7093
http://src.mit.edu/fisheye/changelog/krb5/?cs=25704
http://web.mit.edu/kerberos/krb5-1.10/
https://bugzilla.redhat.com/show_bug.cgi?id=796438
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7093
http://src.mit.edu/fisheye/changelog/krb5/?cs=25704
http://web.mit.edu/kerberos/krb5-1.10/
https://bugzilla.redhat.com/show_bug.cgi?id=796438