VDB
CVE-2022-0194
CVE-2022-0194
PUBLISHED
CVSS 9.800000190734863 CRITICAL
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15876.
EPSS 9.11% · 92.8th percentile
Risk Scores
CVSS v3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
9.11%
92.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| netatalk | netatalk | 0 |
| debian | debian_linux | 11.0, 10.0 |
| Netatalk | Netatalk | 3.1.12 |
Timeline
- Aug 30, 2022 CVE Published
- Mar 29, 2023 EPSS Score
- May 6, 2023 EPSS Score
- Jul 21, 2023 EPSS Score
- Aug 29, 2023 EPSS Score
- Nov 2, 2023 EPSS Score
- Nov 23, 2023 EPSS Score
- Jan 28, 2024 EPSS Score
- Apr 13, 2024 EPSS Score
- May 22, 2024 EPSS Score
- Jul 2, 2024 EPSS Score
- Sep 7, 2024 EPSS Score
References
- https://www.synology.com/fr-fr/security/advisory/Synology_SA_22_06 advisory
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html url
- https://www.zerodayinitiative.com/advisories/ZDI-22-530/ url
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update mailing-list
- DSA-5503 vendor-advisory
- GLSA-202311-02 vendor-advisory
- https://www.kb.cert.org/vuls/id/709991 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-0194 advisory
- https://www.zerodayinitiative.com/advisories/ZDI-22-530 url