QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14867

Published: Nov 27, 2019

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

8.8

HIGH

Description

A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.

Vendor	Product	Versions
Red Hat	ipa	affected `all IPA 4.6.x versions before 4.6.7` affected `all IPA 4.7.x versions before 4.7.4` affected `all IPa 4.8.x versions before 4.8.3`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://www.freeipa.org/page/Releases/4.7.4

x_refsource_MISC

https://www.freeipa.org/page/Releases/4.8.3

x_refsource_MISC

https://www.freeipa.org/page/Releases/4.6.7

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14867

x_refsource_CONFIRM

FEDORA-2019-8e9093da55

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-c64e1612f5

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.