Vulnerability Details : CVE-2022-4603
A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario.
Products affected by CVE-2022-4603
- cpe:2.3:a:samba:ppp:*:*:*:*:*:solaris:*:*
- cpe:2.3:a:samba:ppp:*:*:*:*:*:linux:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-4603
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-4603
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L |
0.9
|
3.4
|
VulDB | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2022-4603
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by:
- cna@vuldb.com (Secondary)
- nvd@nist.gov (Primary)
-
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Assigned by: cna@vuldb.com (Primary)
References for CVE-2022-4603
-
https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf
pppdump: Avoid out-of-range access to packet buffer · ppp-project/ppp@a75fb7b · GitHubPatch;Third Party Advisory
-
https://vuldb.com/?id.216198
CVE-2022-4603 | ppp pppdump pppdump.c dumpppp array indexThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/
[SECURITY] Fedora 38 Update: ppp-2.4.9-10.fc38 - package-announce - Fedora Mailing-Lists
Jump to