SB2026052532 - Multiple vulnerabilities in Netatalk
Published: May 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Download of code without integrity check (CVE-ID: N/A)
CWE-ID: CWE-494 - Download of Code Without Integrity Check
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to download of code without integrity check in the NetBSD CI workflow build-netbsd job when installing build dependencies from a plaintext HTTP pkgsrc mirror. A remote privileged user can substitute malicious packages on the network path to execute arbitrary code.
This affects the CI runner environment only and no path to release artifacts or repository writes was identified.
2) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: N/A)
CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code during the image build process and inject code into published container images.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in distrib/docker/webmin_module.Dockerfile when downloading and executing a setup script from the mutable upstream master branch during the Docker image build. A remote privileged user can compromise the upstream repository or the script delivery path to inject code into published container images.
The downloaded script is executed as root during the build, and the resulting content is baked into published netatalk/webmin images.
3) Use of hard-coded credentials (CVE-ID: N/A)
CWE-ID: CWE-798 - Use of Hard-coded Credentials
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain full DBA access to MariaDB and read or write arbitrary files as the mysql operating-system user.
The vulnerability exists due to use of hard-coded credentials in distrib/docker/env_setup_netatalk.sh when the MySQL CNID backend is selected and AFP_CNID_SQL_PASS is unset. A remote attacker can authenticate with the publicly known fallback credential to gain full DBA access to MariaDB and read or write arbitrary files as the mysql operating-system user.
The issue is exposed in deployments using the shipped host-networked compose configuration, and user interaction is required.
Remediation
Install update from vendor's website.
References
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-6r7r-8jpg-53pp
- https://github.com/Netatalk/netatalk/commit/c5e2f021f4f41313794dd8a4371d404e4dd720d3
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-7fch-hrhx-h3mq
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-prvr-w43r-xf5r