CVE-2024-37371: 
MySQL Schwachstellenanalyse und -minderung

In MIT Kerberos 5 (krb5) versions prior to 1.21.3, a vulnerability was discovered where an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields (NVD, MIT Advisory). The vulnerability was assigned CVE-2024-37371 and was publicly disclosed on June 28, 2024.

The vulnerability exists in the GSS message token handling mechanism of MIT Kerberos 5. When processing message tokens, the system fails to properly validate length fields, which can lead to invalid memory reads. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or result in a Denial of Service (DoS) condition. The high CVSS score reflects the potential for significant impact on system confidentiality and availability (NetApp Advisory).

The vulnerability has been fixed in MIT Kerberos 5 version 1.21.3. Organizations are strongly advised to upgrade to this version or later. The fix includes modifications to verify the Extra Count field of CFX wrap tokens against the encrypted header and additional validation checks for decrypted plaintext length (GitHub Patch).