CVE-2023-25566 (gss-ntlmssp)

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, a memory leak can be triggered when parsing usernames which can trigger a denial-of-service. The domain portion of a username may be overridden causing an allocated memory area the size of the domain name to be leaked. An attacker can leak memory via the main `gss_accept_sec_context` entry point, potentially causing a denial-of-service. This issue is fixed in version 1.2.0.

area authentication cve domain domain name entry issue leak leaked library main may memory memory leak name ntlm ntlm authentication ntlmssp parsing plugin point service size trigger username usernames version version 1