CVE-2023-25076

CRITICAL

Sniproxy - Buffer Overflow

Title source: rule

Description

A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy 0.6.0-2 and the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba). A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability.

References (5)

Core 5

Core References

Patch

https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583

View Patch ZIP pw:eip

Exploit, Mitigation, Third Party Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1731

Mailing List

https://lists.debian.org/debian-lts-announce/2023/04/msg00030.html

Third Party Advisory

https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1731

Third Party Advisory

https://www.debian.org/security/2023/dsa-5413

Scores

CVSS v3 9.8

EPSS 0.3552

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-120

Status published

Products (2)

sniproxy_project/sniproxy 0.6.0-2

sniproxy_project/sniproxy 0.6.1

Published Mar 30, 2023

Tracked Since Feb 18, 2026