Vulnerability Details CVE-2024-25004
KiTTY versions 0.76.1.13 and before is vulnerable to a stack-based buffer overflow via the username, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.8%
CVSS Severity
CVSS v3 Score 7.8
References
- http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
- http://packetstormsecurity.com/files/177032/KiTTY-0.76.1.13-Buffer-Overflows.html
- http://seclists.org/fulldisclosure/2024/Feb/13
- http://seclists.org/fulldisclosure/2024/Feb/14
- https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
- http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html
- http://packetstormsecurity.com/files/177032/KiTTY-0.76.1.13-Buffer-Overflows.html
- http://seclists.org/fulldisclosure/2024/Feb/13
- http://seclists.org/fulldisclosure/2024/Feb/14
- https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
Products affected by CVE-2024-25004
-
cpe:2.3:a:9bis:kitty:0.66.6.3
-
cpe:2.3:a:9bis:kitty:0.70.0.9
-
cpe:2.3:a:9bis:kitty:0.71.0.1
-
cpe:2.3:a:9bis:kitty:0.71.0.2
-
cpe:2.3:a:9bis:kitty:0.71.0.3
-
cpe:2.3:a:9bis:kitty:0.71.0.4
-
cpe:2.3:a:9bis:kitty:0.71.0.5
-
cpe:2.3:a:9bis:kitty:0.71.0.6
-
cpe:2.3:a:9bis:kitty:0.71.0.7
-
cpe:2.3:a:9bis:kitty:0.72.0.1
-
cpe:2.3:a:9bis:kitty:0.72.0.2
-
cpe:2.3:a:9bis:kitty:0.72.0.3
-
cpe:2.3:a:9bis:kitty:0.72.0.4
-
cpe:2.3:a:9bis:kitty:0.72.0.5
-
cpe:2.3:a:9bis:kitty:0.72.0.6
-
cpe:2.3:a:9bis:kitty:0.73.0.1
-
cpe:2.3:a:9bis:kitty:0.73.0.2
-
cpe:2.3:a:9bis:kitty:0.73.1.1
-
cpe:2.3:a:9bis:kitty:0.73.1.2
-
cpe:2.3:a:9bis:kitty:0.73.1.3
-
cpe:2.3:a:9bis:kitty:0.73.1.4
-
cpe:2.3:a:9bis:kitty:0.73.1.5
-
cpe:2.3:a:9bis:kitty:0.73.2.1
-
cpe:2.3:a:9bis:kitty:0.73.2.10
-
cpe:2.3:a:9bis:kitty:0.73.2.11
-
cpe:2.3:a:9bis:kitty:0.73.2.12
-
cpe:2.3:a:9bis:kitty:0.73.2.13
-
cpe:2.3:a:9bis:kitty:0.73.2.14
-
cpe:2.3:a:9bis:kitty:0.73.2.15
-
cpe:2.3:a:9bis:kitty:0.73.2.16
-
cpe:2.3:a:9bis:kitty:0.73.2.17
-
cpe:2.3:a:9bis:kitty:0.73.2.18
-
cpe:2.3:a:9bis:kitty:0.73.2.2
-
cpe:2.3:a:9bis:kitty:0.73.2.3
-
cpe:2.3:a:9bis:kitty:0.73.2.4
-
cpe:2.3:a:9bis:kitty:0.73.2.5
-
cpe:2.3:a:9bis:kitty:0.73.2.6
-
cpe:2.3:a:9bis:kitty:0.73.2.7
-
cpe:2.3:a:9bis:kitty:0.73.2.8
-
cpe:2.3:a:9bis:kitty:0.73.2.9
-
cpe:2.3:a:9bis:kitty:0.74.0.1
-
cpe:2.3:a:9bis:kitty:0.74.0.2
-
cpe:2.3:a:9bis:kitty:0.74.0.3
-
cpe:2.3:a:9bis:kitty:0.74.0.4
-
cpe:2.3:a:9bis:kitty:0.74.0.5
-
cpe:2.3:a:9bis:kitty:0.74.0.6
-
cpe:2.3:a:9bis:kitty:0.74.0.7
-
cpe:2.3:a:9bis:kitty:0.74.1.1
-
cpe:2.3:a:9bis:kitty:0.74.2.1
-
cpe:2.3:a:9bis:kitty:0.74.2.2
-
cpe:2.3:a:9bis:kitty:0.74.2.3
-
cpe:2.3:a:9bis:kitty:0.74.2.4
-
cpe:2.3:a:9bis:kitty:0.74.2.5
-
cpe:2.3:a:9bis:kitty:0.74.2.6
-
cpe:2.3:a:9bis:kitty:0.74.2.7
-
cpe:2.3:a:9bis:kitty:0.74.2.8
-
cpe:2.3:a:9bis:kitty:0.74.3.1
-
cpe:2.3:a:9bis:kitty:0.74.3.2
-
cpe:2.3:a:9bis:kitty:0.74.3.3
-
cpe:2.3:a:9bis:kitty:0.74.3.4
-
cpe:2.3:a:9bis:kitty:0.74.3.5
-
cpe:2.3:a:9bis:kitty:0.74.4.1
-
cpe:2.3:a:9bis:kitty:0.74.4.10
-
cpe:2.3:a:9bis:kitty:0.74.4.11
-
cpe:2.3:a:9bis:kitty:0.74.4.12
-
cpe:2.3:a:9bis:kitty:0.74.4.13
-
cpe:2.3:a:9bis:kitty:0.74.4.2
-
cpe:2.3:a:9bis:kitty:0.74.4.3
-
cpe:2.3:a:9bis:kitty:0.74.4.4
-
cpe:2.3:a:9bis:kitty:0.74.4.5
-
cpe:2.3:a:9bis:kitty:0.74.4.6
-
cpe:2.3:a:9bis:kitty:0.74.4.7
-
cpe:2.3:a:9bis:kitty:0.74.4.8
-
cpe:2.3:a:9bis:kitty:0.74.4.9
-
cpe:2.3:a:9bis:kitty:0.76.1.13