8.8

CVE-2022-24805

net-snmp: A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of             `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.3% 0.667
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

https://bugzilla.redhat.com/show_bug.cgi?id=2103225
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2105238
Third Party Advisory
https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937
Patch
https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775
Patch
https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/
Product
https://security.gentoo.org/glsa/202210-29
Third Party Advisory
https://www.debian.org/security/2022/dsa-5209
Third Party Advisory