CVE-2019-14867
moderate-risk
Published 2019-11-27
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
Do I need to act?
~
3.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Vendors
References (16)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14867
Release Notes
https://www.freeipa.org/page/Releases/4.6.7
Release Notes
https://www.freeipa.org/page/Releases/4.7.4
Release Notes
https://www.freeipa.org/page/Releases/4.8.3
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14867
Release Notes
https://www.freeipa.org/page/Releases/4.6.7
Release Notes
https://www.freeipa.org/page/Releases/4.7.4
Release Notes
https://www.freeipa.org/page/Releases/4.8.3
46
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
7/34 · Low
Exposure
9/34 · Low