CVE-2022-23219

9.8CRITICAL

Key Information:

Vendor
Gnu
Status
Glibc
Vendor
CVE Published:
14 January 2022

Summary

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

References

https://www.oracle.com/security-alerts/cpujul2022.html
https://sourceware.org/bugzilla/show_bug.cgi?id=22542
https://security.gentoo.org/glsa/202208-24
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.