CVE-2019-25686 — HIGH (7.5)

Vulnerability Description

Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer. Attackers can send a PBSZ command with a payload exceeding 211 bytes to trigger an access violation and crash the FTP server process.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Coreftp	Core Ftp	2.0

Related Weaknesses (CWE)

CWE-306

References

http://coreftp.com/server/download/archive/CoreFTPServer653.exeProduct
http://www.coreftp.com/Product
https://www.exploit-db.com/exploits/46532ExploitVDB Entry
https://www.vulncheck.com/advisories/core-ftp-build-653-pbsz-unauthenticated-denThird Party Advisory

FAQ

What is CVE-2019-25686?

CVE-2019-25686 is a vulnerability with a CVSS score of 7.5 (HIGH). Core FTP 2.0 build 653 contains a denial of service vulnerability in the PBSZ command that allows unauthenticated attackers to crash the service by sending a malformed command with an oversized buffer...

How severe is CVE-2019-25686?

CVE-2019-25686 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25686?

Check the references section above for vendor advisories and patch information. Affected products include: Coreftp Core Ftp.