Lucene search

GoogleOSV:CVE-2024-38439

HistoryJun 16, 2024 - 1:15 p.m.

CVE-2024-38439

2024-06-1613:15:53

Google

osv.dev

netatalk

off-by-one error

heap-based buffer overflow

fploginext

fixed versions

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

30.3%

JSON

Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to ‘\0’ in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.

References

github.com/Netatalk/netatalk/blob/90d91a9ac9a7d6132ab7620d31c8c23400949206/etc/uams/uams_pam.c#L316

github.com/Netatalk/netatalk/issues/1096

github.com/Netatalk/netatalk/security/advisories/GHSA-8r68-857c-4rqc

netatalk.io/security/CVE-2024-38439

security-tracker.debian.org/tracker/CVE-2024-38439

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

30.3%

JSON

Related for OSV:CVE-2024-38439