CVE-2011-0418
published 2011-05-24CVE-2011-0418: The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows…
PriorityP423medium4CVSS 2.0
AVNACLAuSCNINAP
EXPLOIT
EPSS
7.26%
93.6th percentile
The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.
Affected
123 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pure-ftpd | < pure-ftpd 1.0.32-1 (bookworm) | pure-ftpd 1.0.32-1 (bookworm) |
| netbsd | netbsd | — | — |
| openbsd | openbsd | <= 4.8 | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
| openbsd | openbsd | — | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv4.0MEDIUM
vendor_debian4.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x6mv-pcvr-j73m: Multiple integer overflows in the glob implementation in libc in OpenBSD before 4
ghsa_unreviewed·2022-05-17·CVSS 4.0
CVE-2011-2168 [MEDIUM] GHSA-x6mv-pcvr-j73m: Multiple integer overflows in the glob implementation in libc in OpenBSD before 4
Multiple integer overflows in the glob implementation in libc in OpenBSD before 4.9 might allow context-dependent attackers to have an unspecified impact via a crafted string, related to the GLOB_APPEND and GLOB_DOOFFS flags, a different issue than CVE-2011-0418.
GHSA
GHSA-g8vx-5jmv-rgqx: The glob implementation in Pure-FTPd before 1
ghsa_unreviewed·2022-05-17
CVE-2011-0418 [MEDIUM] CWE-20 GHSA-g8vx-5jmv-rgqx: The glob implementation in Pure-FTPd before 1
The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.
OSV
CVE-2011-0418: The glob implementation in Pure-FTPd before 1
osv·2011-05-24·CVSS 4.0
CVE-2011-0418 [MEDIUM] CVE-2011-0418: The glob implementation in Pure-FTPd before 1
The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.
Debian
CVE-2011-0418: pure-ftpd - The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, d...
vendor_debian·2011·CVSS 4.0
CVE-2011-0418 [MEDIUM] CVE-2011-0418: pure-ftpd - The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, d...
The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.
Scope: local
bookworm: resolved (fixed in 1.0.32-1)
bullseye: resolved (fixed in 1.0.32-1)
sid: resolved (fixed in 1.0.32-1)
trixie: resolved (fixed in 1.0.32-1)
No detection rules found.
Bugzilla
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [epel-all]
bugzilla·2011-05-12·CVSS 4.0
CVE-2011-0418 [MEDIUM] CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [epel-all]
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=704283
Please note: this issue affects multipl
Bugzilla
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [fedora-all]
bugzilla·2011-05-12·CVSS 4.0
CVE-2011-0418 [MEDIUM] CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [fedora-all]
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=704283
Please note: this issue affects multi
Bugzilla
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion
bugzilla·2011-05-12·CVSS 4.0
CVE-2011-0418 [MEDIUM] CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion
CVE-2011-0418 pure-ftpd: GLOB_BRACE|GLOB_LIMIT memory exhaustion
Multiple libc/glob(3) flaws were reported [1] that affect various *BSD libc implementations. In particular, globs containing braces could lead to resource exhaustion.
One such vulnerable application is Pure-FTPd. This has been corrected in upstream version 1.0.32, where support for braces expansion in directory listings was disabled.
[1] http://securityreason.com/achievement_securityalert/97
[2] http://www.pureftpd.org/project/pure-ftpd/news
Discussion:
Created pure-ftpd tracking bugs for this issue
Affects: fedora-all [bug 704285]
Affects: epel-all [bug 704286]
---
Fedora currently ships the fixed 1.0.32 in each supported release.
EPEL5 is not corrected (1.0.29) and EPEL6 is not corrected (1.0.30).
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=hhttp://securityreason.com/achievement_securityalert/97http://securityreason.com/securityalert/8228http://www.mandriva.com/security/advisories?name=MDVSA-2011:094http://www.pureftpd.org/project/pure-ftpd/newshttp://www.securityfocus.com/bid/47671http://www.vupen.com/english/advisories/2011/1273https://bugzilla.redhat.com/show_bug.cgi?id=704283http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=hhttp://securityreason.com/achievement_securityalert/97http://securityreason.com/securityalert/8228http://www.mandriva.com/security/advisories?name=MDVSA-2011:094http://www.pureftpd.org/project/pure-ftpd/newshttp://www.securityfocus.com/bid/47671http://www.vupen.com/english/advisories/2011/1273https://bugzilla.redhat.com/show_bug.cgi?id=704283
2011-05-24
Published