CVE-2022-24806

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2103225	Third Party Advisory
https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775	Patch
https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/	Product
https://security.gentoo.org/glsa/202210-29	Third Party Advisory
https://www.debian.org/security/2022/dsa-5209	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2103225	Third Party Advisory
https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775	Patch
https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/	Product
https://security.gentoo.org/glsa/202210-29	Third Party Advisory
https://www.debian.org/security/2022/dsa-5209	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:net-snmp:net-snmp:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:9.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:9.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.2_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.4_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.2_s390x:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.4_s390x:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.4:::::::*

History

17 Jan 2025, 16:09

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2103225 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2103225 - Third Party Advisory
References	~~() https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775 -~~	() https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html -~~	() https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html - Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/ - Product
References	~~() https://security.gentoo.org/glsa/202210-29 -~~	() https://security.gentoo.org/glsa/202210-29 - Third Party Advisory
References	~~() https://www.debian.org/security/2022/dsa-5209 -~~	() https://www.debian.org/security/2022/dsa-5209 - Third Party Advisory
First Time		Redhat enterprise Linux For Power Little Endian Redhat enterprise Linux Update Services For Sap Solutions Redhat enterprise Linux Server Aus Debian Redhat enterprise Linux Redhat enterprise Linux Server Update Services For Sap Solutions Redhat enterprise Linux For Power Little Endian Eus Redhat enterprise Linux For Arm 64 Fedoraproject fedora Redhat Net-snmp net-snmp Redhat enterprise Linux For Ibm Z Systems Redhat enterprise Linux For Ibm Z Systems Eus Net-snmp Debian debian Linux Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Fedoraproject Redhat enterprise Linux For Arm 64 Eus Redhat enterprise Linux Eus
CPE		cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.4_aarch64:::::::* cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:::::::* cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:9.2:::::::* cpe:2.3:a:net-snmp:net-snmp:::::::: cpe:2.3:o:fedoraproject:fedora:36:::::::* cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.4:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:::::::* cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.2:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.4_s390x:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:9.4:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.2_aarch64:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.2_s390x:::::::*

21 Nov 2024, 06:51

Type	Values Removed	Values Added
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2103225 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2103225 -
References	~~() https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775 -~~	() https://github.com/net-snmp/net-snmp/commit/ce66eb97c17aa9a48bc079be7b65895266fa6775 -
References	~~() https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html -~~	() https://lists.debian.org/debian-lts-announce/2022/08/msg00020.html -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FX75KKGMO5XMV6JMQZF6KOG3JPFNQBY7/ -
References	~~() https://security.gentoo.org/glsa/202210-29 -~~	() https://security.gentoo.org/glsa/202210-29 -
References	~~() https://www.debian.org/security/2022/dsa-5209 -~~	() https://www.debian.org/security/2022/dsa-5209 -

17 Apr 2024, 12:48

Type	Values Removed	Values Added
Summary		(es) net-snmp proporciona varias herramientas relacionadas con el protocolo simple de administración de red. Antes de la versión 5.9.2, un usuario con credenciales de lectura y escritura podía aprovechar una vulnerabilidad de validación de entrada incorrecta al establecer OID con formato incorrecto en el agente maestro y el subagente simultáneamente. La versión 5.9.2 contiene un parche. Los usuarios deben utilizar credenciales SNMPv3 seguras y evitar compartirlas. Aquellos que deben utilizar SNMPv1 o SNMPv2c deben utilizar una cadena de comunidad compleja y mejorar la protección restringiendo el acceso a un rango de direcciones IP determinado.

16 Apr 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-16 20:15

Updated : 2025-01-17 16:09

NVD link : CVE-2022-24806

Mitre link : CVE-2022-24806

CVE.ORG link : CVE-2022-24806

JSON object : View

Products Affected

fedoraproject

fedora

redhat

enterprise_linux
enterprise_linux_update_services_for_sap_solutions
enterprise_linux_for_ibm_z_systems_eus
enterprise_linux_for_ibm_z_systems
enterprise_linux_for_arm_64_eus
enterprise_linux_for_power_little_endian_eus
enterprise_linux_for_power_little_endian
enterprise_linux_server_aus
enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions
enterprise_linux_server_update_services_for_sap_solutions
enterprise_linux_eus
enterprise_linux_for_arm_64

net-snmp

net-snmp

debian

debian_linux

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

6.5 /10