High severity8.1NVD Advisory· Published Aug 25, 2017· Updated May 13, 2026
CVE-2015-3206
CVE-2015-3206
Description
The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kerberosPyPI | <= 1.2.5 | — |
pykerberosPyPI | < 1.1.6 | 1.1.6 |
Affected products
1- cpe:2.3:a:apple:pykerberos:-:*:*:*:*:*:*:*
Patches
19cb61c93f9b2Add warning about use of checkPassword.
2 files changed · +14 −2
pysrc/kerberos.py+6 −2 modified@@ -38,12 +38,16 @@ def checkPassword(user, pswd, service, default_realm): That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed. + IMPORTANT This method is vulnerable to KDC spoofing attacks and it should only used + for testing. Do not use this in any production system - your security could be + compromised if you do. + @param user: a string containing the Kerberos user name. A realm may be included by appending an '@' followed by the realm string to the actual user id. If no realm is supplied, then the realm set in the default_realm argument will be used. @param pswd: a string containing the password for the user. - @param service: a string containging the Kerberos service to check access for. + @param service: a string containing the Kerberos service to check access for. This will be of the form 'sss/xx.yy.zz', where 'sss' is the service identifier (e.g., 'http', 'krbtgt'), and 'xx.yy.zz' is the hostname of the server. @param default_realm: a string containing the default realm to use if one is not @@ -61,7 +65,7 @@ def changePassword(user, oldpswd, newpswd): If no realm is supplied, then the realm set in the default_realm argument will be used. @param oldpswd: a string containing the old (current) password for the user. - @param newpswd: a string containging the new password for the user. + @param newpswd: a string containing the new password for the user. @return: True if password changing succeeds, False otherwise. """
README.txt+8 −0 modified@@ -44,6 +44,14 @@ directory. Then run test.py with suitable command line arguments: 'http@host.example.com') +IMPORTANT +========= + +The checkPassword method provided by this library is meant only for testing purposes as it does +not offer any protection against possible KDC spoofing. That method should not be used in any +production code. + + Python APIs ===========
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- www.openwall.com/lists/oss-security/2015/05/21/3nvdMailing ListPatchThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/apple/ccs-pykerberos/issues/31nvdIssue TrackingPatchThird Party AdvisoryWEB
- pypi.python.org/pypi/kerberosnvdPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/74760nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-mffc-9gx5-99g3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3206ghsaADVISORY
- github.com/apple/ccs-pykerberos/commit/9cb61c93f9b24dd18a0a315f3df5445529c5c333ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/kerberos/PYSEC-2017-49.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pykerberos/PYSEC-2017-66.yamlghsaWEB
- web.archive.org/web/20150910143429/https://trac.calendarserver.org/ticket/833ghsaWEB
- web.archive.org/web/20200228090829/http://www.securityfocus.com/bid/74760ghsaWEB
News mentions
0No linked articles in our index yet.