[Forgot Password]
Login  Register Subscribe

30481

 
 

423868

 
 

255116

 
 

909

 
 

198683

 
 

282

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2023-42464Date: (C)2023-09-20   (M)2024-01-19


A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score :
Exploit Score: 3.9Exploit Score:
Impact Score: 5.9Impact Score:
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector:
Attack Complexity: LOWAccess Complexity:
Privileges Required: NONEAuthentication:
User Interaction: NONEConfidentiality:
Scope: UNCHANGEDIntegrity:
Confidentiality: HIGHAvailability:
Integrity: HIGH 
Availability: HIGH 
  
Reference:
DSA-5503
https://lists.debian.org/debian-lts-announce/2023/09/msg00031.html
https://github.com/Netatalk/netatalk/issues/486
https://netatalk.sourceforge.io/
https://netatalk.sourceforge.io/3.1/htmldocs/afpd.8.html
https://netatalk.sourceforge.io/CVE-2023-42464.php

CWE    1
CWE-843
OVAL    4
oval:org.secpod.oval:def:708658
oval:org.secpod.oval:def:612675
oval:org.secpod.oval:def:95212
oval:org.secpod.oval:def:96789
...

© SecPod Technologies