#VU311 Denial of service in vsftpd - CVE-2011-0762
Published: August 15, 2016 / Updated: May 30, 2023
Vulnerability identifier: #VU311
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2011-0762
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
vsftpd
vsftpd
Software vendor:
vsftpd
vsftpd
Description
The vulnerability allows a remote attacker to cause a denial of service (DoS) attack.
The vulnerability exists due to an error in vsf_filename_passes_filter() function in ls.c file, when parsing glob expressions in STAT commands. A remote authenticated attacker can consume a large amount of CPU resources by creating multiple FTP sessions and sending specially crafted STAT commands.
Successful exploitation of the vulnerability may result in denial of service attack of entire system.
Remediation
Install the latest version 2.3.3 from vendor's website.