CVE-2023-42464Type Confusion in Netatalk

CWE-843Type Confusion6 documents5 sources
Severity
9.8CRITICALNVD
OSV5.3
EPSS
7.7%
top 8.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NetatalkDebian NetatalkDebian Linux
Timeline
PublishedSep 20
Latest updateDec 12

Description

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

debiandebian/netatalk< netatalk 3.1.12~ds-8+deb11u1 (bullseye)
NVDnetatalk/netatalk3.13.1.17
Debiannetatalk/netatalk< 3.1.12~ds-8+deb11u1+2
Ubuntunetatalk/netatalk< 3.1.12~ds-4ubuntu0.20.04.3+1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.comPatch: netatalk.sourceforge.ioPatch: github.com

🔴Vulnerability Details

3
OSV
netatalk vulnerability2023-12-12
GHSA
GHSA-qv4g-5q5g-2vc3: A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 32023-09-20
OSV
CVE-2023-42464: A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 32023-09-20

📋Vendor Advisories

2
Ubuntu
Netatalk vulnerability2023-12-12
Debian
CVE-2023-42464: netatalk - A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd ...2023