CVE-2008-0062 — krb5 - multiple vulnerabilities

Description

KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.

How to fix CVE-2008-0062

To remediate CVE-2008-0062, upgrade the affected package to a fixed version below.

Debian/krb5—upgrade to 1.6.dfsg.3~beta1-4 or later
—upgrade to 1.3.6-2sarge6 or later

Is CVE-2008-0062 being exploited?

Moderate — EPSS is 20.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.6.dfsg.3~beta1-4
from 0, < 1.3.6-2sarge6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-0062