5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.005 Low
EPSS
Percentile
76.2%
In the rcp client in MIT krb5-appl through 1.0.3, malicious servers could
bypass intended access restrictions via the filename of . or an empty
filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is
modifying the permissions of the target directory on the client side. NOTE:
MIT krb5-appl is not supported upstream but is shipped by a few Linux
distributions. The affected code was removed from the supported MIT
Kerberos 5 (aka krb5) product many years ago, at version 1.8.
Author | Note |
---|---|
sbeattie | krb5-appl was removed before ubuntu 14.04 LTS was released. |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.005 Low
EPSS
Percentile
76.2%