VDB
CVE-2022-23125
CVE-2022-23125
PUBLISHED
CVSS 9.800000190734863 CRITICAL
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
EPSS 32.13% · 96.9th percentile
Risk Scores
CVSS v3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
32.13%
96.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netatalk | Netatalk | 5.18.117 |
| netatalk | netatalk | 0 |
| debian | debian_linux | 10.0, 11.0 |
Timeline
- Aug 30, 2022 CVE Published
- Mar 29, 2023 EPSS Score
- Apr 4, 2023 EPSS Score
- Nov 2, 2023 EPSS Score
- Apr 3, 2024 EPSS Score
- Apr 29, 2024 EPSS Score
- Jul 2, 2024 EPSS Score
- Sep 7, 2024 EPSS Score
- Oct 18, 2024 EPSS Score
- Nov 16, 2024 EPSS Score
- Dec 15, 2024 EPSS Score
- Dec 17, 2024 EPSS Score
References
- https://security.gentoo.org/glsa/202311-02 url
- https://www.synology.com/fr-fr/security/advisory/Synology_SA_22_06 advisory
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html url
- https://www.zerodayinitiative.com/advisories/ZDI-22-526/ url
- [debian-lts-announce] 20230516 [SECURITY] [DLA 3426-1] netatalk security update mailing-list
- DSA-5503 vendor-advisory
- https://www.kb.cert.org/vuls/id/709991 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-23125 advisory
- https://www.zerodayinitiative.com/advisories/ZDI-22-526 url