#VU75703 Memory leak in ProFTPD - CVE-2021-46854


Vulnerability identifier: #VU75703

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-46854

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ProFTPD
Server applications / File servers (FTP/HTTP)

Vendor: ProFTPD

Description
The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak in mod_radius. A remote attacker can force the application to disclose memory to the RADIUS server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ProFTPD: 1.3.0a - 1.3.7

External links
https://github.com/proftpd/proftpd/issues/1284
https://github.com/proftpd/proftpd/pull/1285
https://bugs.gentoo.org/811495
https://www.proftpd.org/docs/RELEASE_NOTES-1.3.7e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Meinberg LANTIME firmware update for third-party components (January 2024)
Gentoo update for ProFTPd
Memory leak in ProFTPD
openEuler 20.03 LTS SP3 update for proftpd
openEuler 20.03 LTS SP1 update for proftpd