{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-4603", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "dateUpdated": "2024-08-03T01:41:45.809Z", "dateReserved": "2022-12-18T00:00:00", "datePublished": "2022-12-18T00:00:00"}, "containers": {"cna": {"title": "ppp pppdump pppdump.c dumpppp array index", "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-01-13T20:06:21.461752"}, "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario."}], "tags": ["disputed"], "affected": [{"vendor": "unspecified", "product": "ppp", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf"}, {"url": "https://vuldb.com/?id.216198"}, {"name": "FEDORA-2024-f0f2f19820", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-119 Memory Corruption -> CWE-129 Improper Validation of Array Index", "cweId": "CWE-119"}]}], "x_generator": "vuldb.com"}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/"}, {"url": "https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf", "tags": ["x_transferred"]}, {"url": "https://vuldb.com/?id.216198", "tags": ["x_transferred"]}, {"name": "FEDORA-2024-f0f2f19820", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:45.809Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:ppp:*:*:*:*:*:linux:*:*", "matchCriteriaId": "82258314-09F8-4FC4-AE29-9A2239BC1D4A", "versionEndExcluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:ppp:*:*:*:*:*:solaris:*:*", "matchCriteriaId": "37D1F089-E855-46FB-B784-B82019B1D02E", "versionEndExcluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cna@vuldb.com", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en ppp y clasificada como problem\u00e1tica. La funci\u00f3n dumpppp del archivo pppdump/pppdump.c del componente pppdump es afectada por la vulnerabilidad. La manipulaci\u00f3n del argumento spkt.buf/rpkt.buf conduce a una validaci\u00f3n incorrecta del \u00edndice de la matriz. Por el momento todav\u00eda se duda de la existencia real de esta vulnerabilidad. El nombre del parche es a75fb7b198eed50d769c80c36629f38346882cbf. Se recomienda aplicar un parche para solucionar este problema. VDB-216198 es el identificador asignado a esta vulnerabilidad. NOTA: pppdump no se utiliza en el proceso normal de configuraci\u00f3n de una conexi\u00f3n PPP, no se instala con setuid-root y no se invoca autom\u00e1ticamente en ning\u00fan escenario."}], "id": "CVE-2022-4603", "lastModified": "2024-11-21T07:35:34.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-18T11:15:11.077", "references": [{"source": "cna@vuldb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf"}, {"source": "cna@vuldb.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.216198"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J43NP7ABHOCIWOFHWCH6ZCZOYKZH6723/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.216198"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ppp: improper validation of array index of the component pppdump", "id": "2255230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255230"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-119", "details": ["A vulnerability classified as problematic has been found in ppp. Affected is the function dumpppp of the file pppdump/pppdump.c of the component pppdump. The manipulation of the argument spkt.buf/rpkt.buf leads to improper validation of array index. The real existence of this vulnerability is still doubted at the moment. The name of the patch is a75fb7b198eed50d769c80c36629f38346882cbf. It is recommended to apply a patch to fix this issue. VDB-216198 is the identifier assigned to this vulnerability. NOTE: pppdump is not used in normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario.", "A potential buffer overflow vulnerability was found in ppp. This issue occurs via manipulation of the spkt.buf/rpkt.buf argument, which may cause a crash."], "name": "CVE-2022-4603", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "ppp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-12-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-4603\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-4603"], "statement": "pppdump is not used in the normal process of setting up a PPP connection, is not installed setuid-root, and is not invoked automatically in any scenario.", "threat_severity": "Moderate", "upstream_fix": "ppp 2.5.0"}