Lucene search

Gentoo FoundationGLSA-202305-03

HistoryMay 03, 2023 - 12:00 a.m.

ProFTPd: Memory Disclosure

2023-05-0300:00:00

Gentoo Foundation

security.gentoo.org

proftpd

radius servers

authentication

password

memory

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.4%

JSON

Background

ProFTPD is an advanced and very configurable FTP server.

Description

ProFTPd unconditionally sends passwords to Radius servers for authentication in multiples of 16 bytes. If a password is not of a length that is a multiple of 16 bytes, ProFTPd will read beyond the end of the password string and send bytes beyond the end of the string buffer.

Impact

Radius servers used for authentication can receive the contents of the ProFTPd process’ memory.

Workaround

There is no known workaround at this time.

Resolution

All ProFTPd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=net-ftp/proftpd-1.3.7c"

OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-ftp/proftpd< 1.3.7cUNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	net-ftp/proftpd	< 1.3.7c	UNKNOWN

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.4%

JSON

Related for GLSA-202305-03