CVE-2023-36177
published 2024-01-23CVE-2023-36177: An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.86%
97.9th percentile
An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| badaix | snapcast | <= 0.27.0 | — |
| badaix | snapcast | >= 0 < 0.23.0+dfsg1-1+deb11u1 | 0.23.0+dfsg1-1+deb11u1 |
| badaix | snapcast | >= 0 < 0.26.0+dfsg1-1+deb12u1 | 0.26.0+dfsg1-1+deb12u1 |
| badaix | snapcast | >= 0 < 0.30.0-1 | 0.30.0-1 |
| badaix | snapcast | >= 0 < 0.30.0-1 | 0.30.0-1 |
| debian | snapcast | < snapcast 0.26.0+dfsg1-1+deb12u1 (bookworm) | snapcast 0.26.0+dfsg1-1+deb12u1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Target application is badaix Snapcast version 0.27.0; monitor for crafted/malformed JSON-RPC-API requests to the Snapcast service as a potential exploitation indicator. ↗
- ·Vulnerability is specific to Snapcast version 0.27.0; Debian has issued fixes across multiple release tracks — bookworm fixed in 0.26.0+dfsg1-1+deb12u1, bullseye fixed in 0.23.0+dfsg1-1+deb11u1, forky/sid/trixie fixed in 0.30.0-1. ↗
- ·Debian scope is listed as 'local', which may indicate the attack surface or exploitation context differs from the NVD description of remote exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hgrc-r3ff-wxfq: An issue was discovered in badaix Snapcast version 0
ghsa_unreviewed·2024-01-24
CVE-2023-36177 [CRITICAL] CWE-94 GHSA-hgrc-r3ff-wxfq: An issue was discovered in badaix Snapcast version 0
An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.
OSV
CVE-2023-36177: An issue was discovered in badaix Snapcast version 0
osv·2024-01-23·CVSS 9.8
CVE-2023-36177 [CRITICAL] CVE-2023-36177: An issue was discovered in badaix Snapcast version 0
An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.
Debian
CVE-2023-36177: snapcast - An issue was discovered in badaix Snapcast version 0.27.0, allows remote attacke...
vendor_debian·2023·CVSS 9.8
CVE-2023-36177 [CRITICAL] CVE-2023-36177: snapcast - An issue was discovered in badaix Snapcast version 0.27.0, allows remote attacke...
An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.
Scope: local
bookworm: resolved (fixed in 0.26.0+dfsg1-1+deb12u1)
bullseye: resolved (fixed in 0.23.0+dfsg1-1+deb11u1)
forky: resolved (fixed in 0.30.0-1)
sid: resolved (fixed in 0.30.0-1)
trixie: resolved (fixed in 0.30.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-23
Published