CVE-2022-22995 — netatalk - security update

Description

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

How to fix CVE-2022-22995

To remediate CVE-2022-22995, upgrade the affected package to a fixed version below.

Debian/netatalk—upgrade to 3.1.12~ds-8+deb11u2 or later
—upgrade to 3.1.12~ds-3+deb10u5 or later
—upgrade to 3.1.12~ds-8+deb11u2 or later

Is CVE-2022-22995 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.1.12~ds-8+deb11u2
from 0, < 3.1.12~ds-3+deb10u5
from 0, < 3.1.12~ds-8+deb11u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-22995