AZL-25604

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-25604.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-25604

Upstream

CVE-2022-45142

Published

2023-03-06T23:15:11Z

Modified

2026-04-21T04:23:07.022365Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2022-45142 affecting package heimdal for versions less than 7.7.1-2

Details

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Affected packages

Azure Linux:2 / heimdal

Package

Name: heimdal
Purl: pkg:rpm/azure-linux/heimdal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.7.1-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-25604.json"