Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-42464

Good to know:

icon

Date: September 20, 2023

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.

Language: C

Severity Score

Related Resources (10)

https://netatalk.sourceforge.io/
https://nvd.nist.gov/vuln/detail/CVE-2023-42464
https://security-tracker.debian.org/tracker/CVE-2023-42464
https://netatalk.sourceforge.io/2.0/htmldocs/afpd.8.html
https://lists.debian.org/debian-lts-announce/2023/09/msg00031.html
https://netatalk.sourceforge.io/3.1/htmldocs/afpd.8.html
https://github.com/Netatalk/netatalk/issues/486
https://netatalk.sourceforge.io/CVE-2023-42464.php
https://www.debian.org/security/2023/dsa-5503
https://www.mend.io/vulnerability-database/CVE-2023-42464

Severity Score

Weakness Type (CWE)

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-843

Top Fix

icon

Upgrade Version

Upgrade to version netatalk-3-1-17

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us