CVE-2020-9274 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2020-9274?

CVE-2020-9274 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-9274?

Check the references section above for vendor advisories and patch information. Affected products include: Pureftpd Pure-Ftpd, Debian Debian Linux, Fedoraproject Extra Packages For Enterprise Linux, Fedoraproject Fedora, Canonical Ubuntu Linux.

Vulnerability Description

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Pureftpd	Pure-Ftpd	< 1.0.50
Debian	Debian Linux	8.0
Fedoraproject	Extra Packages For Enterprise Linux	7.0
Fedoraproject	Fedora	30
Canonical	Ubuntu Linux	16.04

Related Weaknesses (CWE)

CWE-824

References

https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00029.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202003-54Third Party Advisory
https://usn.ubuntu.com/4515-1/Third Party Advisory
https://www.pureftpd.org/project/pure-ftpd/news/Vendor Advisory
https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00029.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202003-54Third Party Advisory
https://usn.ubuntu.com/4515-1/Third Party Advisory

FAQ

What is CVE-2020-9274?

CVE-2020-9274 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) fun...

How severe is CVE-2020-9274?

CVE-2020-9274 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-9274?

Check the references section above for vendor advisories and patch information. Affected products include: Pureftpd Pure-Ftpd, Debian Debian Linux, Fedoraproject Extra Packages For Enterprise Linux, Fedoraproject Fedora, Canonical Ubuntu Linux.