Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-9274

CWE-82411 documents8 sources
Severity
7.5HIGH
EPSS
14.5%
top 5.55%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
Pureftpd Pure-ftpdCanonical Ubuntu LinuxDebian Debian Linux+2 more
Timeline
PublishedFeb 26
Latest updateMay 24

Description

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDpureftpd/pure-ftpd< 1.0.50
Debianpure-ftpd< 1.0.49-4+2
Ubuntupure-ftpd< 1.0.36-3.2+deb8u1build0.16.04.1

Also affects: Debian Linux 8.0, Fedora 30, 31, 32, Ubuntu Linux 16.04

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
GHSA-26hm-gghq-x5rr: An issue was discovered in Pure-FTPd 12022-05-24
OSV
pure-ftpd vulnerability2020-09-17
CVEList
CVE-2020-9274: An issue was discovered in Pure-FTPd 12020-02-26
OSV
CVE-2020-9274: An issue was discovered in Pure-FTPd 12020-02-26

💥Exploits & PoCs

1
Nuclei
Pure-FTPd ≤ 1.0.49 - DoS via Uninitialized Pointer

📋Vendor Advisories

2
Ubuntu
Pure-FTPd vulnerability2020-09-17
Debian
CVE-2020-9274: pure-ftpd - An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerabil...2020

💬Community

3
Bugzilla
CVE-2020-9274 pure-ftpd: uninitialized pointer in the diraliases linked list leads to denial of service or information disclosure [epel-all]2020-05-04
Bugzilla
CVE-2020-9274 pure-ftpd: uninitialized pointer in the diraliases linked list leads to denial of service or information disclosure [fedora-all]2020-05-04
Bugzilla
CVE-2020-9274 pure-ftpd: uninitialized pointer in the diraliases linked list leads to denial of service or information disclosure2020-05-04