Home

CVE-2019-25017

Description

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rcp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). This issue is similar to CVE-2019-6111 and CVE-2019-7283. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
0.608

Associated Vulnerability

VulnerabilityOS Platform
SUSE-SU-2021:0527-1(SUSE Linux Enterprise Server 12-SP5 ) krb5-appl-clients-1.0.3-3.6.1.x86_64.rpmLinux
SUSE-SU-2021:0527-1(SUSE Linux Enterprise Server 12-SP5 ) krb5-appl-clients-debuginfo-1.0.3-3.6.1.x86_64.rpmLinux
SUSE-SU-2021:0527-1(SUSE Linux Enterprise Server 12-SP5 ) krb5-appl-debugsource-1.0.3-3.6.1.x86_64.rpmLinux
SUSE-SU-2021:0527-1(SUSE Linux Enterprise Server 12-SP5 ) krb5-appl-servers-1.0.3-3.6.1.x86_64.rpmLinux
SUSE-SU-2021:0527-1(SUSE Linux Enterprise Server 12-SP5 ) krb5-appl-servers-debuginfo-1.0.3-3.6.1.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234