VIR Vulnerability Intelligence Relay

CVE-2014-4345

high
Published 2014-08-14 · Modified 2026-05-06
CVSS v3
CVSS v2
8.5
VIR risk
8.5

Description

Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-4345

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2014-001.txt

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-4345.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormfixed1.12.1+dfsg-7
debian debianbullseyefixed1.12.1+dfsg-7
debian debianforkyfixed1.12.1+dfsg-7
debian debiansidfixed1.12.1+dfsg-7
debian debiantrixiefixed1.12.1+dfsg-7

Application impact
VendorProductVersionsFixed
mitkerberos_51.6
mitkerberos_51.6.1
mitkerberos_51.6.2
mitkerberos_51.7
mitkerberos_51.7.1
mitkerberos_51.8
mitkerberos_51.8.1
mitkerberos_51.8.2
mitkerberos_51.8.3
mitkerberos_51.8.4
mitkerberos_51.8.5
mitkerberos_51.8.6
mitkerberos_51.9
mitkerberos_51.9.1
mitkerberos_51.9.2
mitkerberos_51.9.3
mitkerberos_51.9.4
mitkerberos_51.10
mitkerberos_51.10.1
mitkerberos_51.10.2
mitkerberos_51.10.3
mitkerberos_51.10.4
mitkerberos_51.11
mitkerberos_51.11.1
mitkerberos_51.11.2
mitkerberos_51.11.3
mitkerberos_51.11.4
mitkerberos_51.11.5
mitkerberos_51.12
mitkerberos_51.12.1

References

CWEs

CWE-189

Verify integrity in audit chain (admin only). AS-IS.