Remote Code Execution Vulnerability in Netatalk
CVE-2022-23122

9.8CRITICAL

Key Information:

Vendor

Netatalk

Status
Netatalk
Vendor
CVE Published:
28 March 2023

What is CVE-2022-23122?

This vulnerability within Netatalk enables remote attackers to execute arbitrary code without requiring authentication. The flaw is located in the setfilparams function, where the system fails to adequately validate the length of input data before copying it into a stack-based buffer. This can lead to severe security risks, allowing attackers to execute malicious code with root privileges on affected systems.

Affected Version(s)

Netatalk 3.1.12

References

https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
https://www.zerodayinitiative.com/advisories/ZDI-22-529/
https://lists.debian.org/debian-lts-announce/2023/05/msg0...
mailing-list

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Orange Tsai (@orange_8361) from DEVCORE Research Team
.