Resource exhaustion in Pure-FTPd - CVE-2019-20176
Published: February 27, 2020 / Updated: June 15, 2022
Vulnerability identifier: #VU25671
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Clear
CVE-ID: CVE-2019-20176
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PureFTPd.org
Affected software:
Pure-FTPd
Pure-FTPd
Detailed vulnerability description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a stack exhaustion issue in the listdir() function in ls.c. A remote authenticated user can use a specially crafted LS command to perform a denial of service (DoS) attack.
How to mitigate CVE-2019-20176
Install update from vendor's website.
Sources
- https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AHZG5FPCRMCB6Z3L7FPICC6BZ5ZATFTO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PICL3U2J4EPGBLOE555Y5RAZTQL3WBBV/