In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*"
],
"vendor_product": "fedoraproject:fedora",
"extracted_events": [
{
"introduced": "25"
},
{
"last_affected": "25"
},
{
"introduced": "26"
},
{
"last_affected": "26"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:mit:kerberos:5-1.13.7:*:*:*:*:*:*:*"
],
"vendor_product": "mit:kerberos",
"extracted_events": [
{
"introduced": "5-1.13.7"
},
{
"last_affected": "5-1.13.7"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:mit:kerberos_5:1.15.1:beta1:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.15.1:beta2:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.7:*:*:*:*:*:*:*"
],
"vendor_product": "mit:kerberos_5",
"extracted_events": [
{
"introduced": "1.7"
},
{
"last_affected": "1.7"
},
{
"introduced": "1.15.1-beta1"
},
{
"last_affected": "1.15.1-beta1"
},
{
"introduced": "1.15.1-beta1"
},
{
"last_affected": "1.15.1-beta1"
},
{
"introduced": "1.15.1-beta2"
},
{
"last_affected": "1.15.1-beta2"
},
{
"introduced": "1.15.1-beta2"
},
{
"last_affected": "1.15.1-beta2"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:mit:kerberos_5:1.7:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.8.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.9:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.9.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.9.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.9.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.9.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.10:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.10.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.10.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.10.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.11:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.11.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.11.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.11.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.11.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.11.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.12:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.12.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.12.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.13:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.13.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.13.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.13.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.13.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.13.6:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14:alpha1:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14:beta1:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14:beta2:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14.4:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.14.5:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.15:*:*:*:*:*:*:*",
"cpe:2.3:a:mit:kerberos_5:1.15.1:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "1.7"
},
{
"last_affected": "1.7"
},
{
"introduced": "1.7.1"
},
{
"last_affected": "1.7.1"
},
{
"introduced": "1.8"
},
{
"last_affected": "1.8"
},
{
"introduced": "1.8.1"
},
{
"last_affected": "1.8.1"
},
{
"introduced": "1.8.2"
},
{
"last_affected": "1.8.2"
},
{
"introduced": "1.8.3"
},
{
"last_affected": "1.8.3"
},
{
"introduced": "1.8.4"
},
{
"last_affected": "1.8.4"
},
{
"introduced": "1.8.5"
},
{
"last_affected": "1.8.5"
},
{
"introduced": "1.8.6"
},
{
"last_affected": "1.8.6"
},
{
"introduced": "1.9"
},
{
"last_affected": "1.9"
},
{
"introduced": "1.9.1"
},
{
"last_affected": "1.9.1"
},
{
"introduced": "1.9.2"
},
{
"last_affected": "1.9.2"
},
{
"introduced": "1.9.3"
},
{
"last_affected": "1.9.3"
},
{
"introduced": "1.9.4"
},
{
"last_affected": "1.9.4"
},
{
"introduced": "1.10"
},
{
"last_affected": "1.10"
},
{
"introduced": "1.10.1"
},
{
"last_affected": "1.10.1"
},
{
"introduced": "1.10.2"
},
{
"last_affected": "1.10.2"
},
{
"introduced": "1.10.3"
},
{
"last_affected": "1.10.3"
},
{
"introduced": "1.10.4"
},
{
"last_affected": "1.10.4"
},
{
"introduced": "1.11"
},
{
"last_affected": "1.11"
},
{
"introduced": "1.11.1"
},
{
"last_affected": "1.11.1"
},
{
"introduced": "1.11.2"
},
{
"last_affected": "1.11.2"
},
{
"introduced": "1.11.3"
},
{
"last_affected": "1.11.3"
},
{
"introduced": "1.11.4"
},
{
"last_affected": "1.11.4"
},
{
"introduced": "1.11.5"
},
{
"last_affected": "1.11.5"
},
{
"introduced": "1.12"
},
{
"last_affected": "1.12"
},
{
"introduced": "1.12.1"
},
{
"last_affected": "1.12.1"
},
{
"introduced": "1.12.2"
},
{
"last_affected": "1.12.2"
},
{
"introduced": "1.12.3"
},
{
"last_affected": "1.12.3"
},
{
"introduced": "1.13"
},
{
"last_affected": "1.13"
},
{
"introduced": "1.13.1"
},
{
"last_affected": "1.13.1"
},
{
"introduced": "1.13.2"
},
{
"last_affected": "1.13.2"
},
{
"introduced": "1.13.3"
},
{
"last_affected": "1.13.3"
},
{
"introduced": "1.13.5"
},
{
"last_affected": "1.13.5"
},
{
"introduced": "1.13.6"
},
{
"last_affected": "1.13.6"
},
{
"introduced": "1.14"
},
{
"last_affected": "1.14"
},
{
"introduced": "1.14-alpha1"
},
{
"last_affected": "1.14-alpha1"
},
{
"introduced": "1.14-beta1"
},
{
"last_affected": "1.14-beta1"
},
{
"introduced": "1.14-beta2"
},
{
"last_affected": "1.14-beta2"
},
{
"introduced": "1.14.1"
},
{
"last_affected": "1.14.1"
},
{
"introduced": "1.14.2"
},
{
"last_affected": "1.14.2"
},
{
"introduced": "1.14.3"
},
{
"last_affected": "1.14.3"
},
{
"introduced": "1.14.4"
},
{
"last_affected": "1.14.4"
},
{
"introduced": "1.14.5"
},
{
"last_affected": "1.14.5"
},
{
"introduced": "1.15"
},
{
"last_affected": "1.15"
},
{
"introduced": "1.15.1"
},
{
"last_affected": "1.15.1"
}
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}[
{
"digest": {
"function_hash": "330028959243753203609613709933773874074",
"length": 653.0
},
"target": {
"function": "kdc_process_s4u2proxy_req",
"file": "src/kdc/kdc_util.c"
},
"id": "CVE-2017-11368-16ce6abc",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"function_hash": "83240240999769545177314307306634696539",
"length": 15624.0
},
"target": {
"function": "process_tgs_req",
"file": "src/kdc/do_tgs_req.c"
},
"id": "CVE-2017-11368-5bf800eb",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"function_hash": "156221043922931185817485653085623573900",
"length": 673.0
},
"target": {
"function": "kdc_process_for_user",
"file": "src/kdc/kdc_util.c"
},
"id": "CVE-2017-11368-755de4b8",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"283975676019297401139999035662419444645",
"282672820768443496025395926450658577906",
"47215875968588905788377893875480578522",
"91415356043600347659629545620442554514",
"99052052106133597793956133896851414116",
"184992862356724350174483412619012981443",
"180808050400054218726783860965016757985",
"298778936289824725957268107039822507847",
"73155155861381541010112379124029782245",
"99432362990357885032626879684404162822",
"218227452749620134082433343964277257909",
"114506724569938914743330379561712543200",
"37246406000188172841916433720272670724",
"78014914416155917900049677080906534854",
"272232022684417892734841124247077554087",
"298769036358435233077422396747719161328",
"129707705023951043827643630971048549541",
"70541791018619243244654308933730348437"
]
},
"target": {
"file": "src/kdc/kdc_util.c"
},
"id": "CVE-2017-11368-a6179004",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"function_hash": "74531147696732265420744333821386430488",
"length": 771.0
},
"target": {
"function": "kdc_process_s4u_x509_user",
"file": "src/kdc/kdc_util.c"
},
"id": "CVE-2017-11368-ae10ded1",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"325367889476803086856633468511928700848",
"68989466184981042379603439399162329417",
"173256510690270124507023254971734967536",
"115082524213724777578031700444571321986"
]
},
"target": {
"file": "src/kdc/do_tgs_req.c"
},
"id": "CVE-2017-11368-ca597638",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"311703179622825782984481815100440141886",
"256372248361650419130344277581095724040",
"89102105830819084952166022460426190619",
"108192380190004863950675277511866253291",
"44123480385076308243782818462219067811"
]
},
"target": {
"file": "src/kdc/do_as_req.c"
},
"id": "CVE-2017-11368-ea438f50",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
},
{
"digest": {
"function_hash": "176621686112374436775066263314571356236",
"length": 7164.0
},
"target": {
"function": "finish_process_as_req",
"file": "src/kdc/do_as_req.c"
},
"id": "CVE-2017-11368-fcaca95d",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970",
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-11368.json"
"2026-07-08T12:05:56Z"