CVE-2014-9423
EPSS 1.5%
Description
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
How to fix CVE-2014-9423
To remediate CVE-2014-9423, upgrade the affected package to a fixed version below.
- Debian/krb5—upgrade to 1.12.1+dfsg-17 or later
Is CVE-2014-9423 being exploited?
Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.12.1+dfsg-17