VYPR
Get started
← All advisories
High severity7.4NVD Advisory· Published May 15, 2019· Updated Apr 15, 2026

CVE-2019-12098

CVE-2019-12098

Description

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

Affected products

9
  • Heimdal Project/Heimdal
    cpe:2.3:a:heimdal_project:heimdal:*:*:*:*:*:*:*:*
    Range: <7.6.0
  • OpenSUSE/Backports Sle2 versions
    cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
    • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • Debian/Debian Linux
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • Fedoraproject/Fedora2 versions
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • OpenSUSE/Leap3 versions
    cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

Patches

2
bbafe725f10b
https://github.com/heimdal/heimdalvia osv
2f7f3d9960aa
https://github.com/heimdal/heimdalvia nvd-ref
commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.