CVE-2020-5204

In uftpd before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00034.html
https://github.com/troglobit/uftpd/commit/0fb2c031ce0ace07cc19cd2cb2143c4b5a63c9dd	Patch Third Party Advisory
https://github.com/troglobit/uftpd/security/advisories/GHSA-wrpr-xw7q-9wvq	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:troglobit:uftpd:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-01-06 20:15

Updated : 2024-02-28 17:28

NVD link : CVE-2020-5204

Mitre link : CVE-2020-5204

CVE.ORG link : CVE-2020-5204

JSON object : View

Products Affected

troglobit

uftpd

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2020-5204", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.3}]}, "published": "2020-01-06T20:15:12.523", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00034.html", "source": "security-advisories@github.com"}, {"url": "https://github.com/troglobit/uftpd/commit/0fb2c031ce0ace07cc19cd2cb2143c4b5a63c9dd", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/troglobit/uftpd/security/advisories/GHSA-wrpr-xw7q-9wvq", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "In uftpd before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11"}, {"lang": "es", "value": "En uftpd versiones anteriores a la versi\u00f3n 2.11, hay una vulnerabilidad de desbordamiento de b\u00fafer en la funci\u00f3n handle_PORT en el archivo ftpcmd.c que es causada por un b\u00fafer de 16 bytes de tama\u00f1o que est\u00e1 siendo llenado por medio de la funci\u00f3n sprintf() con una entrada de usuario basada en la cadena del especificador de formato %d.%d.%d.%d. El tama\u00f1o de 16 bytes es correcto para direcciones IPv4 v\u00e1lidas (len('255.255.255.255') == 16), pero el especificador de formato %d permite m\u00e1s de 3 d\u00edgitos. Esto se ha solucionado en la versi\u00f3n 2.11"}], "lastModified": "2020-01-18T19:15:10.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:troglobit:uftpd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91EBCEEE-1F37-42E3-8C48-41BF050C3BE7", "versionEndExcluding": "2.11"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}