Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the krbCanonicalName for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
AnalysisAI
Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Kerberos services with the same canonical name (krbCanonicalName) as the realm administrator, enabling them to obtain administrative credentials. The vulnerability affects FreeIPA default configurations where uniqueness validation is not enforced, allowing attackers to retrieve Kerberos tickets with admin@REALM credentials and perform unrestricted administrative operations. With a CVSS 9.1 score and network-accessible attack vector, this represents a severe threat to FreeIPA-based identity infrastructures, particularly in environments where service creation permissions are delegated or insufficiently restricted.
Technical ContextAI
FreeIPA is an open-source identity management system built on LDAP, Kerberos, and DNS. The vulnerability stems from inadequate validation of the krbCanonicalName attribute, a critical identifier in Kerberos that uniquely identifies principals in the Key Distribution Center (KDC). CWE-1220 (Insufficient Granularity of Access Control) indicates the root cause: FreeIPA fails to enforce uniqueness constraints at the schema or application level, allowing duplicate canonical names across different service principals. The Kerberos protocol relies on canonical name uniqueness to ensure proper ticket issuance and validation; when an attacker creates a service with the admin's canonical name, the KDC may issue tickets bearing admin credentials to the attacker-controlled service. This is compounded by FreeIPA's default configuration not validating this constraint, making the issue present in standard deployments. The attack leverages the interaction between LDAP object creation (insufficient access control) and Kerberos ticket generation (canonical name collision).
RemediationAI
Immediate remediation steps: (1) Apply patches from FreeIPA upstream project addressing krbCanonicalName validation—patch versions should be released to enforce uniqueness constraints at the schema and application layer. (2) Contact Red Hat for RHEL Identity Management advisory patches (RHSA-* advisories). (3) Until patched, implement compensating controls: enforce LDAP schema constraints on krbCanonicalName uniqueness at the directory server level; restrict service creation permissions to trusted administrators only; audit existing services for duplicate canonical names and remove unauthorized entries. (4) Monitor FreeIPA upstream (freeipa.org) and Red Hat (access.redhat.com) for official patches. (5) Implement network segmentation restricting service creation requests to authorized administrative networks. (6) Enable Kerberos audit logging to detect unauthorized ticket requests for admin principals.
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such a
Arbitrary host file write in Incus before 7.1.0 lets a holder of S3 bucket credentials escape the storage volume via a p
{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB
Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk usin
Consensus failure in Zebra nodes before 4.3.1 allows remote attackers to trigger network partitioning by submitting V4 o
Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to
Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to
Same technique Privilege Escalation
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| trusty | needs-triage | - |
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1108050| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 4.9.11-1 | - |
| trixie | fixed | 4.12.4-1 | - |
| forky, sid | fixed | 4.13.1-1 | - |
| (unstable) | fixed | 4.12.4-1 | unimportant |
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18495