CVE-2019-14867 – ipa

Package

Manager: pip
Name: ipa
Vulnerable Version: >=4.6.2 <4.6.7 || >=4.7.0 <4.7.4 || >=4.8.0 <4.8.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02727 pctl0.85395

Details

Code injection in FreeIPA A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.

Metadata

Created: 2021-12-06T18:17:38Z
Modified: 2024-09-20T21:57:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-7hpj-hfcr-5qwm/GHSA-7hpj-hfcr-5qwm.json
CWE IDs: ["CWE-400", "CWE-94"]
Alternative ID: GHSA-7hpj-hfcr-5qwm
Finding: F422
Auto approve: 1