NULL Pointer Dereference Affecting opennds package, versions <10.2.0+dfsg-1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIANUNSTABLE-OPENNDS-6139431
  • published26 Dec 2023
  • disclosed17 Nov 2023

Introduced: 17 Nov 2023

CVE-2023-38315  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Debian:unstable opennds to version 10.2.0+dfsg-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream opennds package and not the opennds package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a try_to_authenticate NULL pointer dereference that can be triggered with a crafted GET HTTP with a missing client token query string parameter. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.

CVSS Scores

version 3.1