CVE-2022-23121

CRITICAL

Netatalk < 3.1.13 - Improper Exception Handling

Title source: rule

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.

References (7)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/06/msg00000.html

[Release Notes] https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

[Issue Tracking, Third Party Advisory] https://security.gentoo.org/glsa/202311-02

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5503

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-22-527/

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/709991

Scores

CVSS v3 9.8

EPSS 0.1858

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-755

Status published

Affected Products (3)

netatalk/netatalk < 3.1.13

debian/debian_linux

debian/debian_linux

Timeline

Published Mar 28, 2023

Tracked Since Feb 18, 2026