MidnightBSD

Advisories for proftpd

CVE-2001-0136 MEDIUM

Memory leak in ProFTPd 1.2.0rc2 allows remote attackers to cause a denial of service via a series of USER commands, and possibly SIZE commands if the server has been improperly installed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-401,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.0
mandrakesoft mandrake_linux 7.2
conectiva linux *
debian debian_linux 2.2
CVE-2004-0346 HIGH

Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.9
proftpd proftpd *
CVE-2004-1602 MEDIUM

ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
proftpd proftpd *
CVE-2008-7265 MEDIUM

The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote authenticated users to cause a denial of service (CPU consumption) via an ABOR command during a data transfer.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.4
proftpd proftpd 1.3.2
proftpd proftpd 1.3.1
proftpd proftpd 1.2.9
proftpd proftpd 1.2.3
proftpd proftpd 1.2.7
proftpd proftpd *
proftpd proftpd 1.2.1
proftpd proftpd 1.2.2
proftpd proftpd 1.2.6
proftpd proftpd 1.2.10
proftpd proftpd 1.2.0
proftpd proftpd 1.2.5
proftpd proftpd 1.3.0
proftpd proftpd 1.2.8
CVE-2010-20103

A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
proftpd proftpd 1.3.3
CVE-2010-3867 HIGH

Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.3
proftpd proftpd 1.3.2
proftpd proftpd 1.3.1
proftpd proftpd 1.3.0
proftpd proftpd 1.2.10
CVE-2010-4221 HIGH

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.3
proftpd proftpd 1.3.2
CVE-2010-4652 MEDIUM

Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.4
proftpd proftpd 1.3.2
proftpd proftpd 1.3.1
proftpd proftpd 1.2.9
proftpd proftpd 1.2.3
proftpd proftpd 1.2.7
proftpd proftpd *
proftpd proftpd 1.2.1
proftpd proftpd 1.2.2
proftpd proftpd 1.2.6
proftpd proftpd 1.2.10
proftpd proftpd 1.2.0
proftpd proftpd 1.3.3
proftpd proftpd 1.2.5
proftpd proftpd 1.3.0
proftpd proftpd 1.2.8
CVE-2011-1137 MEDIUM

Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.4
proftpd proftpd 1.3.2
proftpd proftpd 1.3.1
proftpd proftpd 1.2.9
proftpd proftpd 1.2.3
proftpd proftpd 1.2.7
proftpd proftpd *
proftpd proftpd 1.2.1
proftpd proftpd 1.2.2
proftpd proftpd 1.2.6
proftpd proftpd 1.2.10
proftpd proftpd 1.2.0
proftpd proftpd 1.3.3
proftpd proftpd 1.2.5
proftpd proftpd 1.3.0
proftpd proftpd 1.2.8
CVE-2011-4130 HIGH

Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.4
proftpd proftpd 1.3.2
proftpd proftpd 1.3.1
proftpd proftpd 1.2.9
proftpd proftpd 1.2.3
proftpd proftpd 1.2.7
proftpd proftpd *
proftpd proftpd 1.2.1
proftpd proftpd 1.2.2
proftpd proftpd 1.2.6
proftpd proftpd 1.2.10
proftpd proftpd 1.2.0
proftpd proftpd 1.3.3
proftpd proftpd 1.2.5
proftpd proftpd 1.3.0
proftpd proftpd 1.2.8
CVE-2012-6095 LOW

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,

Products Affected

Vendor Product Version
proftpd proftpd 1.2.4
proftpd proftpd 1.3.2
proftpd proftpd 1.3.1
proftpd proftpd 1.2.9
proftpd proftpd 1.2.3
proftpd proftpd 1.2.7
proftpd proftpd *
proftpd proftpd 1.2.1
proftpd proftpd 1.2.2
proftpd proftpd 1.2.6
proftpd proftpd 1.2.10
proftpd proftpd 1.2.0
proftpd proftpd 1.3.3
proftpd proftpd 1.3.4
proftpd proftpd 1.2.5
proftpd proftpd 1.3.0
proftpd proftpd 1.2.8
CVE-2013-4359 MEDIUM

Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authentication request, which triggers a large memory allocation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.4
proftpd proftpd 1.3.5
CVE-2015-3306 HIGH

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.5
CVE-2016-3125 MEDIUM

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,CWE-310,

Products Affected

Vendor Product Version
opensuse opensuse 13.1
proftpd proftpd 1.3.6
fedoraproject fedora 23
proftpd proftpd *
fedoraproject fedora 22
CVE-2017-7418 LOW

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.6
proftpd proftpd *
CVE-2019-12815 HIGH

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-755,

Products Affected

Vendor Product Version
debian debian_linux 9.0
siemens simatic_cp_1543-1_firmware *
debian debian_linux 8.0
fedoraproject fedora 29
proftpd proftpd *
debian debian_linux 10.0
fedoraproject fedora 30
CVE-2019-18217 MEDIUM

ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.7
proftpd proftpd 1.3.6
proftpd proftpd *
CVE-2019-19269 MEDIUM

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.6
debian debian_linux 8.0
proftpd proftpd *
fedoraproject fedora 31
fedoraproject fedora 30
CVE-2019-19270 MEDIUM

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
proftpd proftpd 1.3.6
proftpd proftpd *
fedoraproject fedora 31
fedoraproject fedora 30
CVE-2019-19271 MEDIUM

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
proftpd proftpd *
CVE-2019-19272 MEDIUM

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
proftpd proftpd *
CVE-2020-9272 MEDIUM

ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
opensuse leap 15.1
opensuse backports_sle 15.0
proftpd proftpd *
siemens simatic_net_cp_1545-1_firmware *
siemens simatic_net_cp_1543-1_firmware *
CVE-2020-9273 HIGH

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 9.0
proftpd proftpd 1.3.7
siemens simatic_net_cp_1545-1_firmware -
opensuse leap 15.1
debian debian_linux 8.0
opensuse backports_sle 15.0
debian debian_linux 10.0
fedoraproject fedora 31
siemens simatic_net_cp_1543-1_firmware *
fedoraproject fedora 30
CVE-2021-46854

mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.

Products Affected

Vendor Product Version
proftpd proftpd *
CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

Products Affected

Vendor Product Version
winscp winscp *
redhat enterprise_linux 9.0
redhat openshift_data_foundation 4.0
redhat openshift_dev_spaces -
redhat openshift_api_for_data_protection -
lancom-systems lanconfig -
roumenpetrov pkixssh *
bitvise ssh_client *
redhat jboss_enterprise_application_platform 7.0
thorntech sftp_gateway_firmware *
lancom-systems lcos_sx 4.20
fedoraproject fedora 38
microsoft powershell *
netgate pfsense_ce *
redhat openstack_platform 16.1
redhat openshift_gitops -
bitvise ssh_server *
libssh libssh *
putty putty *
redhat advanced_cluster_security 4.0
panic transmit_5 *
tinyssh tinyssh *
apple macos *
redhat openshift_pipelines -
redhat openshift_virtualization 4
redhat discovery -
lancom-systems lcos_sx 5.20
oryx-embedded cyclone_ssh *
panic nova *
asyncssh_project asyncssh *
vandyke securecrt *
lancom-systems lcos_fx -
matez jsch *
netgate pfsense_plus *
redhat ceph_storage 6.0
apache sshd *
redhat keycloak -
sftpgo_project sftpgo *
filezilla-project filezilla_client *
redhat openshift_developer_tools_and_services -
jadaptive maverick_synergy_java_ssh_api *
debian debian_linux 10.0
redhat openshift_serverless -
trilead ssh2 6401
russh_project russh *
redhat openstack_platform 17.1
crushftp crushftp *
connectbot sshlib *
redhat storage 3.0
net-ssh net-ssh 7.2.0
redhat enterprise_linux 8.0
ssh ssh *
paramiko paramiko *
redhat advanced_cluster_security 3.0
redhat openstack_platform 16.2
libssh2 libssh2 *
lancom-systems lcos_lx -
fedoraproject fedora 39
crates thrussh *
dropbear_ssh_project dropbear_ssh *
freebsd freebsd *
redhat openshift_container_platform 4.0
erlang erlang/otp *
kitty_project kitty *
lancom-systems lcos *
golang crypto *
redhat single_sign-on 7.0
tera_term_project tera_term *
gentoo security -
proftpd proftpd *
apache sshj *
openbsd openssh *
redhat cert-manager_operator_for_red_hat_openshift -
ssh2_project ssh2 *
netsarang xshell_7 *
CVE-2023-51713

make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
proftpd proftpd *