CVE-2008-4309 - Vulnerability Details

- net-snmp: numresponses calculation integer overflow in snmp_agent.c

Description

Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.

Published: 2008-10-31

Score: 7.5 High

EPSS: 4.9% Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:net-snmp:net-snmp:5.2.5:::::::*
	cpe:2.3:a:net-snmp:net-snmp:5.3.2.2:::::::*
	cpe:2.3:a:net-snmp:net-snmp:5.4:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 3
net-snmp-0:5.0.9-2.30E.25	cpe:/o:redhat:enterprise_linux:3	RHSA-2008:0971	2008-11-03T00:00:00Z
Red Hat Enterprise Linux 4
net-snmp-0:5.1.2-13.el4_7.2	cpe:/o:redhat:enterprise_linux:4	RHSA-2008:0971	2008-11-03T00:00:00Z
Red Hat Enterprise Linux 5
net-snmp-1:5.3.1-24.el5_2.2	cpe:/o:redhat:enterprise_linux:5	RHSA-2008:0971	2008-11-03T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-1663-1	New net-snmp packages fix several vulnerabilities
Ubuntu USN	USN-685-1	Net-SNMP vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.04926.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
http://lists.apple.com/archives/security-announce/2010//Dec/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html
http://marc.info/?l=bugtraq&m=125017764422557&w=2
http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/tags/Ext-5-2-5-1/net-snmp/agent/snmp_agent.c?r1=17271&r2=17272&pathrev=17272
http://secunia.com/advisories/32539
http://secunia.com/advisories/32560
http://secunia.com/advisories/32664
http://secunia.com/advisories/32711
http://secunia.com/advisories/33003
http://secunia.com/advisories/33095
http://secunia.com/advisories/33631
http://secunia.com/advisories/33746
http://secunia.com/advisories/33821
http://secunia.com/advisories/35074
http://secunia.com/advisories/35679
http://security.gentoo.org/glsa/glsa-200901-15.xml
http://sourceforge.net/forum/forum.php?forum_id=882903
http://sunsolve.sun.com/search/document.do?assetkey=1-26-262908-1
http://support.apple.com/kb/HT3549
http://support.apple.com/kb/HT4298
http://support.avaya.com/elmodocs2/security/ASA-2008-467.htm
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0315
http://www.debian.org/security/2008/dsa-1663
http://www.mandriva.com/security/advisories?name=MDVSA-2008:225
http://www.openwall.com/lists/oss-security/2008/10/31/1
http://www.redhat.com/support/errata/RHSA-2008-0971.html
http://www.securityfocus.com/archive/1/498280/100/0/threaded
http://www.securityfocus.com/bid/32020
http://www.securitytracker.com/id?1021129
http://www.ubuntu.com/usn/usn-685-1
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
http://www.vmware.com/security/advisories/VMSA-2009-0001.html
http://www.vupen.com/english/advisories/2008/2973
http://www.vupen.com/english/advisories/2008/3400
http://www.vupen.com/english/advisories/2009/0301
http://www.vupen.com/english/advisories/2009/1297
http://www.vupen.com/english/advisories/2009/1771
https://exchange.xforce.ibmcloud.com/vulnerabilities/46262
https://nvd.nist.gov/vuln/detail/CVE-2008-4309
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6171
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6353
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9860
https://www.cve.org/CVERecord?id=CVE-2008-4309

History

Thu, 28 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.08604}`	epss `{'score': 0.11144}`

Subscriptions

Net-snmp Net-snmp

Redhat Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2008-10-31T20:00:00.000Z

Updated: 2026-05-28T18:05:58.535Z

Reserved: 2008-09-29T00:00:00.000Z

Link: CVE-2008-4309

Vulnrichment

Updated: 2024-08-07T10:08:35.116Z

NVD

Status : Modified

Published: 2008-10-31T20:29:09.497

Modified: 2026-06-16T22:57:34.443

Link: CVE-2008-4309

Redhat

Severity : Important

Publid Date: 2008-10-31T00:00:00Z

Links: CVE-2008-4309 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object