CVE-2019-11366NULL Pointer Dereference in Project Atftp

CWE-476NULL Pointer Dereference9 documents6 sources
Severity
5.9MEDIUMNVD
OSV9.8
EPSS
1.3%
top 20.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Atftp Project Atftp
Timeline
PublishedApr 20
Latest updateMay 24

Description

An issue was discovered in atftpd in atftp 0.7.1. It does not lock the thread_list_mutex mutex before assigning the current thread data structure. As a result, the daemon is vulnerable to a denial of service attack due to a NULL pointer dereference. If thread_data is NULL when assigned to current, and modified by another thread before a certain tftpd_list.c check, there is a crash when dereferencing current->next.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

Debianatftp_project/atftp< 0.7.git20120829-3.1+3
Ubuntuatftp_project/atftp< 0.7.git20120829-3.1~0.16.04.1

Patches

Patch: sourceforge.netPatch: sourceforge.net

🔴Vulnerability Details

5
GHSA
GHSA-4hq6-rhmw-hgw9: An issue was discovered in atftpd in atftp 02022-05-24
OSV
atftp vulnerabilities2020-11-24
OSV
atftp vulnerabilities2020-09-24
CVEList
CVE-2019-11366: An issue was discovered in atftpd in atftp 02019-04-20
OSV
CVE-2019-11366: An issue was discovered in atftpd in atftp 02019-04-20

📋Vendor Advisories

3
Ubuntu
atftp vulnerabilities2020-11-24
Ubuntu
atftpd vulnerabilities2020-09-24
Debian
CVE-2019-11366: atftp - An issue was discovered in atftpd in atftp 0.7.1. It does not lock the thread_li...2019
CVE-2019-11366 — NULL Pointer Dereference | cvebase