Improper Authentication in iodine - CVE-2014-4168
Published: July 3, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41500
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-4168
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kryo
Affected software:
iodine
iodine
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering.
How to mitigate CVE-2014-4168
Install update from vendor's website.
Sources
- http://secunia.com/advisories/59417
- http://www.debian.org/security/2014/dsa-2964
- http://www.openwall.com/lists/oss-security/2014/06/16/5
- http://www.openwall.com/lists/oss-security/2014/06/18/1
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751834
- https://github.com/yarrick/iodine/blob/b715be5cf3978fbe589b03b09c9398d0d791f850/CHANGELOG