Vulnerability Details CVE-2022-24809
net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 29.7%
CVSS Severity
CVSS v3 Score 6.5
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2103225
- https://bugzilla.redhat.com/show_bug.cgi?id=2105242
- https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775
- https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/
- https://security.gentoo.org/glsa/202210-29
- https://www.debian.org/security/2022/dsa-5209
- https://bugzilla.redhat.com/show_bug.cgi?id=2103225
- https://bugzilla.redhat.com/show_bug.cgi?id=2105242
- https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775
- https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/
- https://security.gentoo.org/glsa/202210-29
- https://www.debian.org/security/2022/dsa-5209
Products affected by CVE-2022-24809
-
cpe:2.3:a:net-snmp:net-snmp:5.0
-
cpe:2.3:a:net-snmp:net-snmp:5.0.1
-
cpe:2.3:a:net-snmp:net-snmp:5.0.2
-
cpe:2.3:a:net-snmp:net-snmp:5.0.3
-
cpe:2.3:a:net-snmp:net-snmp:5.0.4
-
cpe:2.3:a:net-snmp:net-snmp:5.0.5
-
cpe:2.3:a:net-snmp:net-snmp:5.0.6
-
cpe:2.3:a:net-snmp:net-snmp:5.0.7
-
cpe:2.3:a:net-snmp:net-snmp:5.0.8
-
cpe:2.3:a:net-snmp:net-snmp:5.0.9
-
cpe:2.3:a:net-snmp:net-snmp:5.1
-
cpe:2.3:a:net-snmp:net-snmp:5.1.2
-
cpe:2.3:a:net-snmp:net-snmp:5.2
-
cpe:2.3:a:net-snmp:net-snmp:5.3
-
cpe:2.3:a:net-snmp:net-snmp:5.3.0.1
-
cpe:2.3:a:net-snmp:net-snmp:5.4
-
cpe:2.3:a:net-snmp:net-snmp:5.4.2.1
-
cpe:2.3:a:net-snmp:net-snmp:5.5
-
cpe:2.3:a:net-snmp:net-snmp:5.6
-
cpe:2.3:a:net-snmp:net-snmp:5.7
-
cpe:2.3:a:net-snmp:net-snmp:5.7.1
-
cpe:2.3:a:net-snmp:net-snmp:5.7.2
-
cpe:2.3:a:net-snmp:net-snmp:5.7.3
-
cpe:2.3:a:net-snmp:net-snmp:5.8
-
cpe:2.3:a:net-snmp:net-snmp:5.9
-
cpe:2.3:a:net-snmp:net-snmp:5.9.1
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:fedoraproject:fedora:36
-
cpe:2.3:o:redhat:enterprise_linux:9.0
-
cpe:2.3:o:redhat:enterprise_linux_eus:9.2
-
cpe:2.3:o:redhat:enterprise_linux_eus:9.4
-
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0
-
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.2_aarch64
-
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.4_aarch64
-
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64
-
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0
-
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.2_s390x
-
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.4_s390x
-
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x
-
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0
-
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le
-
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4
-
Redhat » Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions » Version: 9.2_ppc64lecpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le
-
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.2
-
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.4