{"id":"CVE-2019-12098","details":"In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.","modified":"2026-04-11T08:55:50.035702Z","published":"2019-05-15T23:29:00.277Z","related":["openSUSE-SU-2019:1682-1","openSUSE-SU-2019:1688-1","openSUSE-SU-2019:1888-1","openSUSE-SU-2024:10946-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4455"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00003.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html"},{"type":"ADVISORY","url":"https://github.com/heimdal/heimdal/releases/tag/heimdal-7.6.0"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00002.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Jun/1"},{"type":"FIX","url":"http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html"},{"type":"FIX","url":"https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf"},{"type":"FIX","url":"https://github.com/heimdal/heimdal/compare/3e58559...bbafe72"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/heimdal/heimdal","events":[{"introduced":"0"},{"fixed":"bbafe725f10b6bfd60e4d411ba08719b632e3043"},{"fixed":"2f7f3d9960aa6ea21358bdf3687cee5149aa35cf"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.6.0"}]}}],"versions":["git2svn-syncpoint-master","heimdal-1.3.0pre1","heimdal-1.3.0pre10","heimdal-1.3.0pre11","heimdal-1.3.0pre3","heimdal-1.3.0pre4","heimdal-1.3.0pre5","heimdal-1.3.0pre6","heimdal-1.3.0pre7","heimdal-1.3.0pre8","heimdal-1.3.0pre9","heimdal-1.3.0rc1","heimdal-1.5pre1","heimdal-1.5pre2","heimdal-7.0.1","heimdal-7.0.2","heimdal-7.0.3","heimdal-7.1.0","heimdal-7.1rc1","heimdal-7.2.0","heimdal-7.3.0","heimdal-7.4.0","heimdal-7.5.0","switch-from-svn-to-git","upstream-1.4.0+git20101228.dfsg.1","upstream-1.4.0+git20110220.dfsg.1"],"database_specific":{"vanir_signatures":[{"target":{"file":"lib/krb5/init_creds_pw.c","function":"krb5_init_creds_step"},"signature_type":"Function","id":"CVE-2019-12098-3473ff51","digest":{"length":6746,"function_hash":"239451779831776701030370729553326217963"},"signature_version":"v1","deprecated":false,"source":"https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf"},{"target":{"file":"lib/krb5/pkinit.c"},"signature_type":"Line","id":"CVE-2019-12098-81d6eb0e","digest":{"threshold":0.9,"line_hashes":["157905797815404682526821631083992957802","77077079028435348282945182426218165738","232278302168403443626434313658558027612"]},"signature_version":"v1","deprecated":false,"source":"https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf"},{"target":{"file":"lib/krb5/init_creds_pw.c"},"signature_type":"Line","id":"CVE-2019-12098-eccdb06f","digest":{"threshold":0.9,"line_hashes":["94971240621567312815457331887032315308","80927413706729359648894526490031709185","77888480259620153279995465692430115069","120247920660774625577499905939642226608"]},"signature_version":"v1","deprecated":false,"source":"https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0-sp1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"42.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures_modified":"2026-04-11T08:55:50Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12098.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}