cbcvebase.
CVE-2019-11365
published 2019-04-20

CVE-2019-11365: An issue was discovered in atftpd in atftp 0.7.1. A remote attacker may send a crafted packet triggering a stack-based buffer overflow due to an insecurely…

PriorityP355critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.29%
89.9th percentile
An issue was discovered in atftpd in atftp 0.7.1. A remote attacker may send a crafted packet triggering a stack-based buffer overflow due to an insecurely implemented strncpy call. The vulnerability is triggered by sending an error packet of 3 bytes or fewer. There are multiple instances of this vulnerable strncpy pattern within the code base, specifically within tftpd_file.c, tftp_file.c, tftpd_mtftp.c, and tftp_mtftp.c.

Affected

8 ranges
VendorProductVersion rangeFixed in
atftp_projectatftp
atftp_projectatftp>= 0 < 0.7.git20120829-3.10.7.git20120829-3.1
atftp_projectatftp>= 0 < 0.7.git20120829-3.10.7.git20120829-3.1
atftp_projectatftp>= 0 < 0.7.git20120829-3.10.7.git20120829-3.1
atftp_projectatftp>= 0 < 0.7.git20120829-3.10.7.git20120829-3.1
atftp_projectatftp>= 0 < 0.7.git20120829-3.1~0.16.04.10.7.git20120829-3.1~0.16.04.1
atftp_projectatftp>= 0 < 0.7.git20120829-3.1~0.18.04.10.7.git20120829-3.1~0.18.04.1
debianatftp< atftp 0.7.git20120829-3.1 (bookworm)atftp 0.7.git20120829-3.1 (bookworm)

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.