ROSA LABROSA-SA-2021-1929Advisory ROSA-SA-2021-1929
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.823 High
EPSS
Percentile
98.4%
Software: net-snmp 5.7.2
OS: Cobalt 7.9
CVE-ID: CVE-2014-2284
CVE-Crit: HIGH
CVE-DESC: The Linux implementation of ICMP-MIB in Net-SNMP 5.5 through 5.5.2.1, 5.6.x through 5.6.2.1, and 5.7.x through 5.7.2.1 incorrectly validates input, allowing remote attackers to cause a denial of service via unspecified vectors.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2014-2285
CVE-Crit: HIGH
CVE-DESC: The perl_trapd_handler function in perl / TrapReceiver / TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier when using certain versions of Perl allows remote attackers to cause a denial of service (snmptrapd failure) via an empty community. string in an SNMP trap that triggers a null pointer dereference in the newSVpv function in Perl.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2015-5621
CVE-Crit: MEDIUM
CVE-DESC: The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in the netsnmp_variable_list element when SNMP PDU parsing fails, allowing remote attackers to cause a denial of service (failure ) and possibly execute arbitrary code through a crafted packet.
CVE-STATUS: Default
CVE-REV: Default
CVE-ID: CVE-2015-8100
CVE-Crit: MEDIUM
CVE-DESC: The net-snmp package in OpenBSD before 5.8 uses 0644 permissions for snmpd.conf, which allows local users to obtain sensitive community information by reading this file.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2018-1000116
CVE-Crit: CRITICAL
CVE-DESC: NET-SNMP version 5.7.2 contains a vulnerability related to heap corruption in the UDP protocol handler that could lead to command execution.
CVE-STATUS: Default
CVE-REV: default
CVE-ID: CVE-2018-18065
CVE-Crit: MEDIUM
CVE-DESC: _set_key in agent / helpers / table_container.c in Net-SNMP before version 5.8 contains a NULL pointer exception bug that can be used by an authenticated attacker to remotely crash an instance via a crafted UDP packet, resulting in a denial of Service.
CVE-STATUS: default
CVE-REV: Default
CVE-ID: CVE-2019-20892
CVE-Crit: MEDIUM
CVE-DESC: net-snmp before version 5.8.1.pre1 has double free access in usm_free_usmStateReference in snmplib / snmpusm.c via SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by several Linux distributions, but may not affect the original release.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2020-15861
CVE-Crit: HIGH
CVE-DESC: Net-SNMP before 5.7.3 allows privilege escalation due to the following UNIX symbolic link (symbolic link).
CVE-STATUS: Default
CVE-REV: Default
CVE-ID: CVE-2020-15862
CVE-Crit: HIGH
CVE-DESC: Net-SNMP before 5.7.3 has improper privilege management because SNMP WRITE access to the EXTEND MIB allows arbitrary commands to be run as root user.
CVE-STATUS: default
CVE-REV: default
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.823 High
EPSS
Percentile
98.4%