Vulnerability Description
The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vsftpd Project | Vsftpd | < 2.3.3 |
| Canonical | Ubuntu Linux | 6.06 |
| Fedoraproject | Fedora | 13 |
| Debian | Debian Linux | 5.0 |
| Opensuse | Opensuse | 11.2 |
| Suse | Linux Enterprise Server | 9 |
Related Weaknesses (CWE)
References
- ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.4/ChangelogBroken Link
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622741Issue TrackingThird Party Advisory
- http://cxib.net/stuff/vspoc232.cBroken Link
- http://jvn.jp/en/jp/JVN37417423/index.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055881.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055882.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055957.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.htmlMailing ListThird Party Advisory
- http://marc.info/?l=bugtraq&m=133226187115472&w=2Issue TrackingThird Party Advisory
- http://securityreason.com/achievement_securityalert/95ExploitThird Party Advisory
- http://securityreason.com/securityalert/8109ExploitThird Party Advisory
- http://www.debian.org/security/2011/dsa-2305Third Party Advisory
- http://www.exploit-db.com/exploits/16270ExploitThird Party AdvisoryVDB Entry
- http://www.kb.cert.org/vuls/id/590604Broken Link
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:049Third Party Advisory
FAQ
What is CVE-2011-0762?
CVE-2011-0762 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob exp...
How severe is CVE-2011-0762?
CVE-2011-0762 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-0762?
Check the references section above for vendor advisories and patch information. Affected products include: Vsftpd Project Vsftpd, Canonical Ubuntu Linux, Fedoraproject Fedora, Debian Debian Linux, Opensuse Opensuse.