CVE-2023-33192

Опубликовано: 27 мая 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3.

Ссылки

https://github.com/pendulum-project/ntpd-rs/pull/752
Patch
https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-qwhm-h7v3-mrjx
Mitigation
Vendor Advisory
https://github.com/pendulum-project/ntpd-rs/pull/752
Patch
https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-qwhm-h7v3-mrjx
Mitigation
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:tweedegolf:ntpd-rs:*:*:*:*:*:rust:*:*

Версия от 0.3.0 (включая) до 0.3.3 (исключая)

EPSS

Процентиль: 42%

0.00197

Низкий

7.5 High

CVSS3

Дефекты

CWE-130

NVD-CWE-Other

Связанные уязвимости

GHSA-qwhm-h7v3-mrjx