VDB
CVE-2022-23122
CVE-2022-23122
PUBLISHED
CVSS 9.800000190734863 CRITICAL
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the setfilparams function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15837.
EPSS 7.57% · 92.0th percentile
Risk Scores
CVSS v3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
7.57%
92.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| netatalk | netatalk | 0 |
| debian | debian_linux | 10.0, 11.0 |
| Netatalk | Netatalk | 3.1.12 |
Timeline
- Aug 30, 2022 CVE Published
- Mar 29, 2023 EPSS Score
- May 6, 2023 EPSS Score
- Jul 21, 2023 EPSS Score
- Aug 29, 2023 EPSS Score
- Nov 2, 2023 EPSS Score
- Nov 23, 2023 EPSS Score
- Jan 28, 2024 EPSS Score
- Mar 6, 2024 EPSS Score
- May 22, 2024 EPSS Score
- Jul 2, 2024 EPSS Score
- Sep 7, 2024 EPSS Score
References
- https://www.synology.com/fr-fr/security/advisory/Synology_SA_22_06 advisory
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html url
- https://www.zerodayinitiative.com/advisories/ZDI-22-529/ url
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update mailing-list
- DSA-5503 vendor-advisory
- GLSA-202311-02 vendor-advisory
- https://www.kb.cert.org/vuls/id/709991 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-23122 advisory
- https://www.zerodayinitiative.com/advisories/ZDI-22-529 url