GMS-2016-58: Spoofing attack due to unvalidated KDC

August 4, 2016

This module does not validate the KDC, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials.

References

archive.hack.lu/2010/Bouillon-Stealing-credentials-for-impersonation.pdf
github.com/qesuto/node-krb5/issues/13
www.npmjs.com/package/kerberos

Detect and mitigate GMS-2016-58 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →