Apache Kerby: Kerberos Pre-Authentication Bypass
Summary
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
What this means
In plain English
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue. The official description indicates that exploitation does not require prior authentication. An authentication bypass can allow protected functionality to be reached without completing the intended identity checks.
Recommended action
Primary action: update to a vendor-listed fixed release: 2.1.2.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- Apache Kerby before 2.1.2
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
- 2.1.2
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 2.1.2. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.