CVE-2024-1481

Name	CVE-2024-1481
Description	A flaw was found in FreeIPA. This issue may allow a remote attacker to craft a HTTP request with parameters that can be interpreted as command arguments to kinit on the FreeIPA server, which can lead to a denial of service.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3773-1
Debian Bugs	1065106

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
freeipa (PTS)	buster	4.7.2-3	vulnerable
	buster (security)	4.7.2-3+deb10u1	fixed
	bookworm	4.9.11-1	vulnerable
	sid	4.11.1-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
freeipa	source	buster	4.7.2-3+deb10u1		DLA-3773-1
freeipa	source	(unstable)	(unfixed)			1065106

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2262169
https://pagure.io/freeipa/issue/9541
ipa-4.10: https://pagure.io/freeipa/c/921661fd460799da69043e06e058cff75a64ce3c
ipa-4.10: https://pagure.io/freeipa/c/204011dc0514681511275a4b70a13bfa85c1a538
ipa-4.9: https://pagure.io/freeipa/c/b039f3087a13de3f34b230dbe29a7cfb1965700d
ipa-4.9: https://pagure.io/freeipa/c/96a478bbedd49c31e0f078f00f2d1cb55bb952fd
For buster (and most likely later versions) the vulnerable rpcserver.py code
is not part of the provided binary packages. The kinit.py file is however and
it is not entirelly clear whether this may be used in a vulnerable way when
the client is used for authentication purposes.