{
  "threat_severity" : "Low",
  "public_date" : "2014-07-15T00:00:00Z",
  "bugzilla" : {
    "description" : "krb5: double-free flaw in SPNEGO initiators",
    "id" : "1121876",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1121876"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.", "A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos." ],
  "statement" : "This issue did not affect the version of krb5 as shipped with Red Hat Enterprise Linux 5.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2014-10-13T00:00:00Z",
    "advisory" : "RHSA-2014:1389",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "krb5-0:1.10.3-33.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-03-05T00:00:00Z",
    "advisory" : "RHSA-2015:0439",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "krb5-0:1.12.2-14.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "krb5",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-4343\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-4343" ],
  "name" : "CVE-2014-4343",
  "csaw" : false
}