Arjun Basnet

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 4.6.0 through 4.6.5 Wireshark versions 4.4.0 through 4.4.15 **Description** A crash in the ROHC protocol dissector allows for a denial of service. A dissector is a software component that breaks down network packets into a readable format. **Recommendations** Update Wireshark versions 4.6.0 through 4.6.5 to a version newer than 4.6.5. Update Wireshark versions 4.4.0 through 4.4.15 to a version newer than 4.4.15.

**Name of the Vulnerable Software and Affected Versions** Samba versions prior to 4.22.10 Samba versions prior to 4.23.8 Samba versions prior to 4.24.3 **Description** A flaw exists in the Samba printing subsystem where the software passes a client-controlled job description string to the command configured in the "print command" setting using the `%J` substitution character. Because shell meta characters are not properly escaped, a remote unauthenticated attacker can send a specially crafted print job description containing unescaped shell characters to execute arbitrary code on the affected system. **Recommendations** Update to version 4.22.10. Update to version 4.23.8. Update to version 4.24.3. As a temporary workaround, remove `%J` from the "print command" configurations in the `smb.conf` file.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 3.1.0 through 4.4.2 **Description** Multiple heap out-of-bounds reads occur in the Spotlight RPC unmarshalling code. A remote authenticated attacker can exploit this to obtain sensitive information or cause a minor service disruption. Heap out-of-bounds read is a condition where the software reads data past the end of the intended memory buffer on the heap. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 1.3 through 4.4.2 **Description** An out-of-bounds read exists in the handling of ASP session IDs. This allows an adjacent network attacker to cause a denial of service or obtain limited information by sending a crafted ASP request. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.2.5 through 4.4.2 **Description** A race condition exists in the privilege toggle mechanism due to a non-reentrant privilege toggle. This allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.0.0 through 4.4.2 **Description** An off-by-two error in the `lp write()` function within papd allows an adjacent network attacker to modify limited data or cause a minor service disruption by sending crafted print data. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 1.5.0 through 4.4.2 **Description** The software uses DES-ECB (Data Encryption Standard in Electronic Codebook mode) for authentication, which is susceptible to a timing side channel. This allows a remote attacker to recover authentication credentials by performing timing analysis. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 1.5.0 through 4.2.2 **Description** The DHCAST128 UAM (User Authentication Module) uses a broken cryptographic algorithm. This allows a remote attacker to perform a cryptanalytic attack to obtain authentication credentials or impersonate a user. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.2.2 through 4.4.2 **Description** An authentication bypass allows a remote privileged user to authenticate as an arbitrary user through the admin auth user mechanism. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.1.0 through 4.4.2 **Description** An LDAP injection allows a remote authenticated attacker to manipulate LDAP queries. By providing crafted filter input, an attacker can obtain limited information or modify LDAP entries. LDAP injection is a technique where malicious LDAP statements are inserted into an input field to alter the intended query logic. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 3.1.0 through 4.4.2 **Description** An SQL injection in the MySQL CNID backend allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service. SQL injection is a type of flaw that allows an attacker to interfere with the queries that an application makes to its database. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.0.4 through 4.4.2 **Description** A stack-based buffer overflow occurs due to UCS-2 type confusion within the `convert charset()` function. This allows a remote authenticated attacker to execute arbitrary code or cause a denial of service. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.0.4 through 4.4.2 **Description** An out-of-bounds write occurs due to improper null termination in the `convert charset()` function. This allows a remote authenticated attacker to execute arbitrary code or cause a denial of service by providing crafted character data. **Recommendations** Update to version 4.4.3. As a temporary workaround, restrict access to the `convert charset()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 3.0.2 through 4.4.2 **Description** An improper link resolution issue allows a remote authenticated attacker to read or overwrite arbitrary files through the creation of attacker-controlled symlinks (symbolic links, which are files that point to another file or directory). **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.1.0 through 4.4.2 **Description** Netatalk inserts LDAP simple-bind passwords into log output in cleartext. This allows an attacker with access to the log files to obtain LDAP credentials. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 1.5.0 through 4.4.2 **Description** An integer underflow in the `dsi writeinit()` function allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request. **Recommendations** Update to version 4.4.3. As a temporary workaround, consider restricting access to the `dsi writeinit()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.0.0 through 4.4.2 **Description** Netatalk generates AFP session tokens derived from predictable process IDs. This allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 3.1.4 through 4.4.2 **Description** A logic error involving bitwise OR operations allows a remote authenticated attacker to perform shell injection, enabling the execution of arbitrary OS commands. **Recommendations** Update to version 4.4.3.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 1.3 through 4.2.2 **Description** A stack-based buffer overflow occurs in `desktop.c`. This allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data. A stack-based buffer overflow is a condition where a program writes more data to a buffer located on the stack than the buffer is allocated to hold, potentially overwriting adjacent memory. **Recommendations** Update to version 4.5.0.

**Name of the Vulnerable Software and Affected Versions** Netatalk versions 2.0.4 through 4.4.2 **Description** A missing output length bounds check in the `pull charset flags()` function allows a remote authenticated attacker to execute arbitrary code or cause a denial of service by sending crafted character set data. **Recommendations** Update to version 4.4.3.