CVE-2022-23121

CRITICAL

Netatalk < 3.1.13 - Improper Exception Handling

Title source: rule

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.

References (7)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/06/msg00000.html

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5503

[Issue Tracking, Third Party Advisory] https://security.gentoo.org/glsa/202311-02

[Release Notes] https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-22-527/

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/709991

Scores

CVSS v3 9.8

EPSS 0.2081

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-755

Status published

Products (3)

debian/debian_linux 10.0

debian/debian_linux 11.0

netatalk/netatalk < 3.1.13

Published Mar 28, 2023

Tracked Since Feb 18, 2026