Vulnerability Details : CVE-2022-45188
Potential exploit
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).
Vulnerability category: OverflowMemory Corruption
Products affected by CVE-2022-45188
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-45188
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-45188
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2022-45188
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-45188
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SG6WZW5LXFVH3P7ZVZRGHUVJEMEFKQLI/
[SECURITY] Fedora 36 Update: netatalk-3.1.14-3.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GEAFLA5L2SHOUFBAGUXIF2TZLGBXGJKT/
[SECURITY] Fedora 38 Update: netatalk-3.1.14-3.fc38 - package-announce - Fedora Mailing-Lists
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html
[SECURITY] [DLA 3426-1] netatalk security updateMailing List;Third Party Advisory
-
https://sourceforge.net/projects/netatalk/files/netatalk/
netatalk - Browse /netatalk at SourceForge.netRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GEAFLA5L2SHOUFBAGUXIF2TZLGBXGJKT/
[SECURITY] Fedora 38 Update: netatalk-3.1.14-3.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.14.html
Encountered a 404 errorBroken Link
-
https://rushbnt.github.io/bug%20analysis/netatalk-0day/
[1day to 0day] Netatalk from Pwn2own 2021 to 0x00 cent in 2022 - Bla Bla blogExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZYWSGVA6WXREMB6PV56HAHKU7R6KPOP/
[SECURITY] Fedora 37 Update: netatalk-3.1.14-3.fc37 - package-announce - Fedora Mailing-Lists
-
https://security.gentoo.org/glsa/202311-02
Netatalk: Multiple Vulnerabilities including root remote code execution (GLSA 202311-02) — Gentoo securityIssue Tracking;Third Party Advisory
-
https://www.debian.org/security/2023/dsa-5503
Debian -- Security Information -- DSA-5503-1 netatalkThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZYWSGVA6WXREMB6PV56HAHKU7R6KPOP/
[SECURITY] Fedora 37 Update: netatalk-3.1.14-3.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
Netatalk Release NotesRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SG6WZW5LXFVH3P7ZVZRGHUVJEMEFKQLI/
[SECURITY] Fedora 36 Update: netatalk-3.1.14-3.fc36 - package-announce - Fedora Mailing-ListsMailing List
Jump to