Improper input validation - #VU38
Published: June 28, 2016 / Updated: November 22, 2018
Vulnerability identifier: #VU38
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
The vulnerability allows a remote authenticated user to cause denial of service.
The vulnerability exists due to improper handling of domain names in /scripts/killpvhost, when matching them against entries in ProFTPD configuration file during host removal. A attacker can create an account with regular expression metacharacters. During the removal of such account, the IP address dedicated to this account will be also removed from FTP configuration.
Successful exploitation of this vulnerability may cause partial denial of service.
Remediation
Install the latest version 11.56.0.15, 11.54.0.24, 11.52.6.1 or 11.50.6.2.