CVE-2020-28196
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-28196
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28196.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-28196
- Downstream
- Related
- Published
- 2020-11-06T08:15:13Z
- Modified
- 2025-10-21T02:34:11Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
- References
-
- https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd
- https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html
- https://security.gentoo.org/glsa/202011-17
- https://security.netapp.com/advisory/ntap-20201202-0001/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://www.debian.org/security/2020/dsa-4795
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/
Affected packages
Git / github.com/krb5/krb5
Affected ranges
- Type
- GIT
- Repo
- https://github.com/krb5/krb5
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"82004413599074258995082300997859384277",
"95514533372883996870744119677761171591",
"256781595708548989705620904801224709789",
"278010137863133208867295668046764927658",
"23956022074200509683341350576803350327",
"190335139486536940044550308909496061835",
"169798344457330923474986025653426785038",
"32325356854271996720022701572692771778",
"52300159344737788490623129516453239447",
"186806524128379503509081764593343790184",
"243105010521653262774947389972205187455",
"63857117114616130914474771310684033647",
"199417454384241800826523717220571858480",
"30188149857417280810981412035781190927",
"267333555597311098053677739621321070589",
"150664080048655905756414456523591557682",
"255842828104875388391352603696648059168",
"305807793871677643555867443063607059033",
"49554595789120067555647948590810355974",
"304164243049172345599539357550429498714",
"276706774358412251743588505323921817969",
"319507010322596304432716532824188812522",
"187716112151959876914627128883343721908",
"171454353741844590700493061918404597125",
"208766693756104307864784200706611949598",
"308593154605976333657788096751535266174",
"67281110818822095509633258637472998374",
"301293672693294295426252448147416371342",
"157004517731995025953302795540372074819",
"232470601004856172972759924748522063383",
"313693152712755249157226542960713384796"
],
"threshold": 0.9
},
"id": "CVE-2020-28196-02fe0993"
},
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"function": "get_tag",
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "57529091313606092540209127447220814768",
"length": 1810.0
},
"id": "CVE-2020-28196-16e73268"
},
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"function": "k5_asn1_full_decode",
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "99529815593991416643313083110453829191",
"length": 411.0
},
"id": "CVE-2020-28196-4d4662e1"
},
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"function": "decode_atype",
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "80648222733855492235361015376819548722",
"length": 2735.0
},
"id": "CVE-2020-28196-506ea3b4"
},
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"function": "decode_sequence",
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "13140286987635898525301114047538986872",
"length": 1035.0
},
"id": "CVE-2020-28196-a9330910"
},
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"function": "decode_sequence_of",
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "86798477443948831184784418331358588910",
"length": 858.0
},
"id": "CVE-2020-28196-cfa23556"
},
{
"source": "https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd",
"target": {
"function": "split_der",
"file": "src/lib/krb5/asn.1/asn1_encode.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "41481169286020098270889005944300769622",
"length": 341.0
},
"id": "CVE-2020-28196-faaa6393"
}
]