Total vulnerabilities in the database
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
| Software | From | Fixed in |
|---|---|---|
| mit / kerberos_5 | 1.12 | 1.12.x |
| mit / kerberos_5 | 1.12.1 | 1.12.1.x |
| mit / kerberos_5 | 1.12.2 | 1.12.2.x |
| mit / kerberos_5 | 1.12.3 | 1.12.3.x |
| mit / kerberos_5 | 1.13 | 1.13.x |
| mit / kerberos_5 | 1.13.1 | 1.13.1.x |