Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-0418Improper Input Validation in Pure-ftpd

CWE-20Improper Input Validation9 documents7 sources
Severity
4.0MEDIUMNVD
EPSS
12.3%
top 6.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Pureftpd Pure-ftpdNetbsd
Timeline
PublishedMay 24
Latest updateMay 17

Description

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

Debianpureftpd/pure-ftpd< 1.0.32-1+2
NVDpureftpd/pure-ftpd1.0.31+88

Also affects: Netbsd 5.1

Patches

Patch: cvsweb.netbsd.orgPatch: cvsweb.netbsd.orgPatch: cvsweb.netbsd.org

🔴Vulnerability Details

3
GHSA
GHSA-g8vx-5jmv-rgqx: The glob implementation in Pure-FTPd before 12022-05-17
OSV
CVE-2011-0418: The glob implementation in Pure-FTPd before 12011-05-24
CVEList
CVE-2011-0418: The glob implementation in Pure-FTPd before 12011-05-24

💥Exploits & PoCs

1
Exploit-DB
FreeBSD 9.1 - 'ftpd' Remote Denial of Service2013-02-05

📋Vendor Advisories

1
Debian
CVE-2011-0418: pure-ftpd - The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, d...2011

💬Community

3
Bugzilla
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [epel-all]2011-05-12
Bugzilla
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [fedora-all]2011-05-12
Bugzilla
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion2011-05-12
CVE-2011-0418 — Improper Input Validation in Pure-ftpd | cvebase