Lucene search

[email protected]CVE-2020-9273

HistoryFeb 20, 2020 - 4:15 p.m.

CVE-2020-9273

2020-02-2016:15:11

CWE-416

[email protected]

web.nvd.nist.gov

195

proftpd

cve-2020-9273

memory corruption

remote code execution

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.07 Low

EPSS

Percentile

94.0%

JSON

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.

Affected configurations

NVD

Node

proftpdproftpdMatch1.3.7

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

fedoraprojectfedoraMatch30

fedoraprojectfedoraMatch31

Node

opensusebackports_sleMatch15.0-

opensusebackports_sleMatch15.0sp1

opensuseleapMatch15.1

Node

siemenssimatic_net_cp_1545-1_firmwareMatch-

AND

siemenssimatic_net_cp_1545-1Match-

Node

siemenssimatic_net_cp_1543-1_firmwareRange<3.0

AND

siemenssimatic_net_cp_1543-1Match-

CPENameOperatorVersion
proftpd:proftpdproftpdeq1.3.7

CPE	Name	Operator	Version
proftpd:proftpd	proftpd	eq	1.3.7

References

lists.opensuse.org/opensuse-security-announce/2020-03/msg00002.html

www.openwall.com/lists/oss-security/2021/08/25/1

www.openwall.com/lists/oss-security/2021/09/06/2

cert-portal.siemens.com/productcert/pdf/ssa-679335.pdf

github.com/proftpd/proftpd/blob/master/RELEASE_NOTES

github.com/proftpd/proftpd/issues/903

lists.debian.org/debian-lts-announce/2020/02/msg00022.html

lists.debian.org/debian-lts-announce/2020/03/msg00002.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCUPRYSJR7XOM3HQ6H5M4OGDU7OHCHBF/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHO3S5WPRRP7VGKIAHLYQVEYW5HRYIJN/

security.gentoo.org/glsa/202003-35

www.debian.org/security/2020/dsa-4635

Social References

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.07 Low

EPSS

Percentile

94.0%

JSON

Related for CVE-2020-9273

debian4 openvas8 ubuntucve1 checkpoint_advisories1 prion1 osv4 nessus7 githubexploit1 debiancve1 mageia1 cvelist1 nvd1 suse1 ics1 gentoo1 fedora2