CVE-2016-1000238 – node-krb5

Package

Manager: npm
Name: node-krb5
Vulnerable Version: >=0.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Spoofing attack due to unvalidated KDC in node-krb5 Affected versions of `node-krb5` do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. ## Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=kerberos).

Metadata

Created: 2020-09-01T15:57:01Z
Modified: 2021-09-23T21:35:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-4v9q-hm2p-68c4/GHSA-4v9q-hm2p-68c4.json
CWE IDs: []
Alternative ID: GHSA-4v9q-hm2p-68c4
Finding: F081
Auto approve: 1