Detections
Analytics

Alpine: multiple krb5 packages: security update to 1.14-r0 (deprecated)

medium Tenable Self-Hosted Container Security Plugin ID 400993

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before
 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows
 remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds
 read) via a crafted string. (CVE-2015-8629)

 - The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c
 in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow
 remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by
 specifying KADM5_POLICY with a NULL policy name. (CVE-2015-8630)

 - Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before
 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory
 consumption) via a request specifying a NULL principal name. (CVE-2015-8631)

See Also

https://git.alpinelinux.org/aports/commit/?id=bdd0013fdbf7e436512b3e0ef1d7d2c4befac656

https://git.alpinelinux.org/aports/commit/?id=eab4343d4108ba85530b8141ae3fe0a2242cd72b

Plugin Details

Severity: Medium

ID: 400993

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 4/13/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2015-8629

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/22/2016

Vulnerability Publication Date: 1/8/2016

Reference Information

CVE: CVE-2015-8629, CVE-2015-8630, CVE-2015-8631

BID: 82801, 82802, 82804