Sign-up

ID

VAR-202002-1070


CVE

CVE-2020-9365


TITLE

Pure-FTPd Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002209

DESCRIPTION

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c. Pure-FTPd is an FTP (File Transfer Protocol) server. A buffer overflow vulnerability exists in the 'pure_strcmp' function of the utils.c file in Pure-FTPd version 1.0.49. The vulnerability originates from a network system or product that incorrectly validates data boundaries when performing operations on memory, causing incorrect read and write operations to be performed on other associated memory locations. An attacker could use this vulnerability to cause a buffer overflow or heap overflow. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202003-54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Pure-FTPd: Multiple vulnerabilities Date: March 25, 2020 Bugs: #711124 ID: 202003-54 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Pure-FTPd, the worst of which could allow remote attackers to cause a Denial of Service condition. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-ftp/pure-ftpd < 1.0.49-r2 >= 1.0.49-r2 Description =========== Multiple vulnerabilities have been discovered in Pure-FTPd. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly cause a Denial of Service condition or cause an information disclosure. Workaround ========== There is no known workaround at this time. Resolution ========== All Pure-FTPd users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-ftp/pure-ftpd-1.0.49-r2" References ========== [ 1 ] CVE-2020-9274 https://nvd.nist.gov/vuln/detail/CVE-2020-9274 [ 2 ] CVE-2020-9365 https://nvd.nist.gov/vuln/detail/CVE-2020-9365 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202003-54 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.34

sources: NVD: CVE-2020-9365 // JVNDB: JVNDB-2020-002209 // CNVD: CNVD-2020-13470 // VULMON: CVE-2020-9365 // PACKETSTORM: 156917

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-13470

AFFECTED PRODUCTS

vendor:pureftpdmodel:pure-ftpdscope:eqversion:1.0.49

Trust: 1.8

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:30

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:31

Trust: 1.0

vendor:pure ftpdmodel:pure-ftpdscope:eqversion:1.0.49

Trust: 0.6

sources: CNVD: CNVD-2020-13470 // JVNDB: JVNDB-2020-002209 // NVD: CVE-2020-9365

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9365
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-002209
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-13470
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202002-1111
value: HIGH

Trust: 0.6

VULMON: CVE-2020-9365
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9365
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-002209
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-13470
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-9365
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-002209
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-13470 // VULMON: CVE-2020-9365 // JVNDB: JVNDB-2020-002209 // CNNVD: CNNVD-202002-1111 // NVD: CVE-2020-9365

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.8

sources: JVNDB: JVNDB-2020-002209 // NVD: CVE-2020-9365

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 156917 // CNNVD: CNNVD-202002-1111

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202002-1111

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-002209

PATCH
title:pure_strcmp(): len(s2) can be > len(s1)url:https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e
Trust: 0.8
title:Patch for Pure-FTPd buffer overflow vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/204769
Trust: 0.6
title:Pure-FTPd Buffer error vulnerability fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110778
Trust: 0.6
title:Debian CVElist Bug Report Logs: pure-ftpd: CVE-2020-9365url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=85d0371a1e886261381fbcc1e4d432f0
Trust: 0.1
title: - url:https://github.com/Ac1d-0-0/BinaryAnalyzer 
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-13470 // 
            
            
            
            VULMON: CVE-2020-9365 // 
            
            
            
            JVNDB: JVNDB-2020-002209 // 
            
            
            
            CNNVD: CNNVD-202002-1111

EXTERNAL IDS
db:NVDid:CVE-2020-9365
Trust: 3.2
db:JVNDBid:JVNDB-2020-002209
Trust: 0.8
db:PACKETSTORMid:156917
Trust: 0.7
db:CNVDid:CNVD-2020-13470
Trust: 0.6
db:CNNVDid:CNNVD-202002-1111
Trust: 0.6
db:VULMONid:CVE-2020-9365
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-13470 // 
            
            
            
            VULMON: CVE-2020-9365 // 
            
            
            
            JVNDB: JVNDB-2020-002209 // 
            
            
            
            PACKETSTORM: 156917 // 
            
            
            
            CNNVD: CNNVD-202002-1111 // 
            
            
            
            NVD: CVE-2020-9365

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2020-9365
Trust: 2.1
url:https://security.gentoo.org/glsa/202003-54
Trust: 1.7
url:https://github.com/jedisct1/pure-ftpd/commit/bf6fcd4935e95128cf22af5924cdc8fe5c0579da
Trust: 1.6
url:https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e
Trust: 1.6
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22p44peczwndp7cmbl7nrbmnfs73c5z2/
Trust: 1.0
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/b5nsudwxzvwucl6r2ptx3kbb42z62ca5/
Trust: 1.0
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/u5dbvhjcxwrsjpnjqcjqckzf6zdpzcka/
Trust: 1.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9365
Trust: 0.8
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/u5dbvhjcxwrsjpnjqcjqckzf6zdpzcka/
Trust: 0.6
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/b5nsudwxzvwucl6r2ptx3kbb42z62ca5/
Trust: 0.6
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22p44peczwndp7cmbl7nrbmnfs73c5z2/
Trust: 0.6
url:https://packetstormsecurity.com/files/156917/gentoo-linux-security-advisory-202003-54.html
Trust: 0.6
url:https://creativecommons.org/licenses/by-sa/2.5
Trust: 0.1
url:https://security.gentoo.org/
Trust: 0.1
url:https://bugs.gentoo.org.
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2020-9274
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-13470 // 
            
            
            
            JVNDB: JVNDB-2020-002209 // 
            
            
            
            PACKETSTORM: 156917 // 
            
            
            
            CNNVD: CNNVD-202002-1111 // 
            
            
            
            NVD: CVE-2020-9365

CREDITS
Gentoo
Trust: 0.7
sources:
            
            
            PACKETSTORM: 156917 // 
            
            
            
            CNNVD: CNNVD-202002-1111

SOURCES
db:CNVDid:CNVD-2020-13470
db:VULMONid:CVE-2020-9365
db:JVNDBid:JVNDB-2020-002209
db:PACKETSTORMid:156917
db:CNNVDid:CNNVD-202002-1111
db:NVDid:CVE-2020-9365

LAST UPDATE DATE
2024-11-23T23:01:31.494000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-13470date:2020-02-25T00:00:00
db:VULMONid:CVE-2020-9365date:2020-11-16T00:00:00
db:JVNDBid:JVNDB-2020-002209date:2020-03-06T00:00:00
db:CNNVDid:CNNVD-202002-1111date:2020-10-19T00:00:00
db:NVDid:CVE-2020-9365date:2024-11-21T05:40:29.437

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-13470date:2020-02-25T00:00:00
db:VULMONid:CVE-2020-9365date:2020-02-24T00:00:00
db:JVNDBid:JVNDB-2020-002209date:2020-03-06T00:00:00
db:PACKETSTORMid:156917date:2020-03-26T14:45:34
db:CNNVDid:CNNVD-202002-1111date:2020-02-24T00:00:00
db:NVDid:CVE-2020-9365date:2020-02-24T16:15:13.313