CVE-2016-1000238

Description

Affected versions of `node-krb5` do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. ## Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=kerberos).

How to fix CVE-2016-1000238

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2016-1000238 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2016-1000238.

Affected packages (1)

• >= 0.0.0

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-1000238
• PATCHgithub.com/qesuto/node-krb5
• WEBarchive.hack.lu/2010/Bouillon-Stealing-credentials-for-impersonation.pdf
• WEBgithub.com/qesuto/node-krb5/issues/13
• WEB