#VU75703 Memory leak in ProFTPD


Published: 2023-05-03

Vulnerability identifier: #VU75703

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-46854

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ProFTPD
Server applications / File servers (FTP/HTTP)

Vendor: ProFTPD

Description
The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak in mod_radius. A remote attacker can force the application to disclose memory to the RADIUS server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ProFTPD: 1.3.0 - 1.3.7b

External links
http://github.com/proftpd/proftpd/issues/1284
http://github.com/proftpd/proftpd/pull/1285
http://bugs.gentoo.org/811495
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.7e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for ProFTPd
Memory leak in ProFTPD
openEuler 20.03 LTS SP3 update for proftpd
openEuler 20.03 LTS SP1 update for proftpd