Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR2OXEtaG0ycC02OGM0
Spoofing attack due to unvalidated KDC in node-krb5
Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials.
Recommendation
It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then.
At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..
Permalink: https://github.com/advisories/GHSA-4v9q-hm2p-68c4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR2OXEtaG0ycC02OGM0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
Identifiers: GHSA-4v9q-hm2p-68c4, CVE-2016-1000238
References:
- https://github.com/qesuto/node-krb5/issues/13
- https://www.npmjs.com/advisories/136
- http://archive.hack.lu/2010/Bouillon-Stealing-credentials-for-impersonation.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000238
- https://github.com/advisories/GHSA-4v9q-hm2p-68c4
Blast Radius: 0.0
Affected Packages
npm:node-krb5
Dependent packages: 3Dependent repositories: 9
Downloads: 152 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6