CVE-2016-1000238 — Spoofing attack due to unvalidated KDC in node-krb5

描述

Affected versions of `node-krb5` do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. ## Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=kerberos).

如何修補 CVE-2016-1000238

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

—未列出修補版本

CVE-2016-1000238 正在被利用嗎?

目前沒有被利用訊號。CVE-2016-1000238 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

>= 0.0.0

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-1000238
PATCHgithub.com/qesuto/node-krb5
WEBarchive.hack.lu/2010/Bouillon-Stealing-credentials-for-impersonation.pdf
WEBgithub.com/qesuto/node-krb5/issues/13
WEB