{"id":"CVE-2024-37370","details":"In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.","modified":"2026-04-16T04:31:15.524196429Z","published":"2024-06-28T22:15:02.293Z","related":["ALSA-2024:5312","ALSA-2024:6166","SUSE-SU-2024:2300-1","SUSE-SU-2024:2302-1","SUSE-SU-2024:2303-1","SUSE-SU-2024:2305-1","SUSE-SU-2024:2307-1","SUSE-SU-2024:2322-1","SUSE-SU-2025:20051-1","openSUSE-SU-2024:14111-1"],"references":[{"type":"ADVISORY","url":"https://web.mit.edu/kerberos/www/advisories/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241108-0007/"},{"type":"FIX","url":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/krb5/krb5","events":[{"introduced":"0"},{"fixed":"8f56f544dd179056e9b8d02552e6c5e392eb2966"},{"fixed":"55fbf435edbe2e92dd8101669b1ce7144bc96fef"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.21.3"}]}}],"versions":["kfw-4.3-beta1","kfw-4.3-beta1-mit","krb5-1.21-beta1","krb5-1.21-final","krb5-1.21.1-final","krb5-1.21.2-final"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37370.json","vanir_signatures":[{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":454,"function_hash":"181288490691551539276030950384381900325"},"id":"CVE-2024-37370-1df7c73c","target":{"file":"src/tests/gssapi/t_invalid.c","function":"make_token"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","target":{"file":"src/lib/gssapi/krb5/k5sealv3.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["249506129078718211803429264891256381134","288149586519997172688793957007570430812","240646770775722692739035560481597382058","303900088052997634529903035635480983292","338126685936456179893363646948398891700","54487801512522521148961176327611494675","108745466256977167880621123289301581934"]},"id":"CVE-2024-37370-32c65a70","deprecated":false},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":4337,"function_hash":"98293196971926310410761654759985255839"},"id":"CVE-2024-37370-3f07a7bd","target":{"file":"src/lib/gssapi/krb5/k5sealv3.c","function":"gss_krb5int_unseal_token_v3"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":1693,"function_hash":"303351386319676587296194179357777809979"},"id":"CVE-2024-37370-41104b48","target":{"file":"src/lib/gssapi/krb5/k5unsealiov.c","function":"kg_unseal_iov_token"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":954,"function_hash":"140177844166912038852243412243705372883"},"id":"CVE-2024-37370-5c771456","target":{"file":"src/tests/gssapi/t_invalid.c","function":"make_fake_context"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["230425656155783130342333519260053525979","229344041728628893963599055128908416781","253458744637640492840184618760152751593","27574026631851263555301678032649503933","163608176491538825945561015738662347868","247119585514961648511300436561989594849","278020424269055034555322742033740408648"]},"id":"CVE-2024-37370-7d836a9b","target":{"file":"src/lib/gssapi/krb5/k5sealv3iov.c"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":711,"function_hash":"220604563734506325727267498493098391188"},"id":"CVE-2024-37370-ad93d025","target":{"file":"src/tests/gssapi/t_invalid.c","function":"make_fake_cfx_context"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":422,"function_hash":"289612554992914395914056291750669305271"},"id":"CVE-2024-37370-ada3136f","target":{"file":"src/tests/gssapi/t_invalid.c","function":"main"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":3741,"function_hash":"195348772871666817748336395484823275086"},"id":"CVE-2024-37370-b8dd53d5","target":{"file":"src/lib/gssapi/krb5/k5sealv3iov.c","function":"gss_krb5int_unseal_v3_iov"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":504,"function_hash":"138180890806099684658054031274090919201"},"id":"CVE-2024-37370-dff4f89b","target":{"file":"src/tests/gssapi/t_invalid.c","function":"try_accept"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["233632372815735821944452845218895474531","262355901222310656430491832498492947441","268895778251236432784648419410582503983","242461635590865998631206143405748904830","136801142089113954101277361283389620689","189321458024708033060279185243566343885","290457867488243979744144828237846139487","39653275422146381986640722615307140275","185110370425662329074055136086264140266","189654905727076676654792769577175054552","136186376754499126779963917652247664150","223645431530016318804164688796263486347","49992899863462079845897870321928455409","165526590684903766152291801862009571920","116800409787590243855009395891408830996","41793673749647707537679796596010563700","242286896785079614426167607149757882771","225704161944435927268696388495845123748","141669129805271476436645833121972852721","54944304351176642967641798106546604205","284634114269162632948060880050218330222","76660648972109655373638037035437315060","287018580442253345217872547137936767094","304142749247190506366625925409835191535"]},"id":"CVE-2024-37370-e203cdf1","target":{"file":"src/lib/gssapi/krb5/k5unsealiov.c"}},{"source":"https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef","signature_version":"v1","target":{"file":"src/tests/gssapi/t_invalid.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["46081912875478378167730162008287322351","149464097080068881471347518859610212764","35892351460835453544008038688602856515","54193177529587539228755428234936348740","164919141884014013814068777599774886015","120496654672254995287920120158482526705","126554600910143298594949515314786008045","333585463244526508338891052561915148049","256958163279390832948676018252331667586","262422870513302958039067222912526722592","61211325234348376708953122507925163417","299171055584048307906145994035865535193","336778840970254188031917970539975140587","166905904496776334174792100394807230944","111540463162605207689684621130918551539","207989100659469986248173380551508280264","97565035193547563755299054306486660559","69705857514109298907482687201353136595","250515738642808039124425234233033315531","25261943639470381576433545951373342846","155968463102505524668649792799427011221","226717774503492914134307443293630104298","119746595982831932772533352709249224472","196023733304730656852142114701616683193","333585463244526508338891052561915148049","256958163279390832948676018252331667586","262422870513302958039067222912526722592","61211325234348376708953122507925163417","336309751092384052925872768691007552095","15965313950902173205363818520986908205","230696040828335200846382527277056168876","320698243185774739555952786486669431219","155968463102505524668649792799427011221","226717774503492914134307443293630104298","119746595982831932772533352709249224472","196023733304730656852142114701616683193","42243522612720981631743587746788479498","307693904798826635995673740120516367504","238104374601084847629065065964754142982","297261495332378516068495605326068638926","33800677824973969342210146568669583464","293733998953732843216992635301307589459","65091210993800138874533158244793717783","245127060547121105878227485765971721395","23787540765483663146986435862528184311","231102783850306336970285948930938627737","307723069298870506556379174009256423268","282595538099047009400025529636777782070","296206049940099696660706586968381551308","174176388500282705820751983962690765736","260808767835095792348025919998486224897","172593446264879008148516919958583180417","254639008005813116174205609668589472439","34645225354467353828647583503494433","322226675994480185991064709950238932153","299134670706231447773652766012690091836","53168281897773373193406564668365842996","103977377026834181519666834105319338038","238721725913302095997120732506934052516","165575549363718143018069936434504485186","23647356369235017987347520688540098274","220262945418189216628434421934641596489"]},"id":"CVE-2024-37370-fd1182da","deprecated":false}],"vanir_signatures_modified":"2026-04-12T07:38:42Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}