Vulnerabilities > CVE-2023-42464 - Type Confusion vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

netatalk

debian

CWE-843

critical

NVD

Published: 2023-09-20

Updated: 2024-07-01

Summary

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.

Vulnerable Configurations

Part	Description	Count
Application	Netatalk Netatalk Netatalk 3.1 Netatalk Netatalk 3.1.1 Netatalk Netatalk 3.1.2 Netatalk Netatalk 3.1.3 Netatalk Netatalk 3.1.4 Netatalk Netatalk 3.1.5 Netatalk Netatalk 3.1.6 Netatalk Netatalk 3.1.7 Netatalk Netatalk 3.1.8 Netatalk Netatalk 3.1.9 Netatalk Netatalk 3.1.10 Netatalk Netatalk 3.1.11 Netatalk Netatalk 3.1.12 Netatalk Netatalk 3.1.13 Netatalk Netatalk 3.1.14 Netatalk Netatalk 3.1.15 Netatalk Netatalk 3.1.16	17
OS	Debian Debian Debian Linux 10.0 Debian Debian Linux 11.0	2

Common Weakness Enumeration (CWE)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References