Gss Ntlmssp
CVE-2023-25566
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, a memory leak can be triggered when parsing usernames which can trigger a denial-of-service. The domain portion of a username may be overridden causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main gss_accept_sec_context entry point, potentially causing a denial-of-service. This issue is fixed in version 1.2.0.
AnalysisAI
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.
Technical ContextAI
This vulnerability is classified as Memory Leak (CWE-401), which allows attackers to exhaust available memory leading to denial of service. GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, a memory leak can be triggered when parsing usernames which can trigger a denial-of-service. The domain portion of a username may be overridden causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main gss_accept_sec_context entry point, potentially causing a denial-of-service. This issue is fixed in version 1.2.0. Affected products include: Gss-Ntlmssp Project Gss-Ntlmssp. Version information: version 1.2.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Ensure all allocated memory is properly freed. Use RAII patterns or garbage-collected languages.
More in Gss Ntlmssp
View allGSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Rated high severity (CVSS 8
GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication, has an out-of-bounds read whe
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Rated high severity (CVSS 7
GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Rated high severity (CVSS 7
Same weakness CWE-401 – Memory Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today