Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2014-8517 — Command Injection in Netbsd
Severity
7.5HIGHNVD
EPSS
85.0%
top 0.65%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedNov 17
Latest updateMay 17
Description
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
CVSS vector
AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4
Affected Packages1 packages
Also affects: Netbsd 5.1, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.2, 5.2.1, 5.2.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
3📋Vendor Advisories
3💬Community
4Bugzilla▶
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [fedora-all]↗2014-10-29
Bugzilla
▶
Bugzilla
▶