How serious is CVE-2022-45188?

This vulnerability has a CVSS score of 7.8 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2022-45188?

CVE-2022-45188 affects netatalk netatalk. Check the full CVE details for specific version information.

How do I fix CVE-2022-45188?

To remediate CVE-2022-45188, check for security patches from netatalk. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2022-45188

High

|7.8

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to execute malicious code remotely, potentially gaining full control over affected systems like FreeBSD, which is used in TrueNAS. It occurs when a specially crafted .appl file is processed, making it crucial for systems running vulnerable versions of Netatalk to be updated or secured.

Technical Description

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

CVSS Vector Analysis

Attack VectorLocal

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,684($1K-$5K)

Vendor Response

Grade FPatched in 1189 days

Quick Information

Published

Nov 12, 2022

over 3 years ago

Last Modified

Feb 13, 2026

about 2 months ago

Vendor

netatalk

Product

netatalk

Related Vulnerabilities

CVE-2018-1160Critical

This vulnerability allows an attacker to run any code they want on a system using Netatalk, which could lead to complete control over that system. It can be exploited remotely without needing to log in, as long as the attacker can send specially crafted data to the affected software.