← Back

CVE-2020-17049

nvd nist
Published: Nov 11, 2020Modified: Nov 21, 2024

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD (Secondary)

Description

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.

Affected (11)

Microsoft
3 products
Windows Server 2012
Windows Server 2016
Windows Server 2019
Samba
1 product
Samba
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Microsoft
Windows Server 2012
All versions
Windows Server 2012
Version r2
Microsoft
Windows Server 2016
All versions
Windows Server 2016
Version 1903
Windows Server 2016
Version 1909
Windows Server 2016
Version 2004
Windows Server 2016
Version 20h2
Windows Server 2019
All versions
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Samba
Samba
From 4.1.0 to 4.13.13
Samba
From 4.14.0 to 4.14.9
Samba
From 4.15.0 to 4.15.1

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (6)

Source: secure@microsoft.com
Mailing ListThird Party Advisory
Source: secure@microsoft.com
PatchVendor Advisory
Source: secure@microsoft.com
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.