The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vsftpd_project | vsftpd | * |
| fedoraproject | fedora | 14 |
| debian | debian_linux | 5.0 |
| fedoraproject | fedora | 13 |
| opensuse | opensuse | 11.2 |
| debian | debian_linux | 7.0 |
| fedoraproject | fedora | 15 |
| suse | linux_enterprise_server | 11 |
| debian | debian_linux | 6.0 |
| canonical | ubuntu_linux | 9.10 |
| canonical | ubuntu_linux | 10.10 |
| suse | linux_enterprise_server | 10 |
| canonical | ubuntu_linux | 6.06 |
| opensuse | opensuse | 11.3 |
| canonical | ubuntu_linux | 10.04 |
| canonical | ubuntu_linux | 8.04 |
| opensuse | opensuse | 11.4 |
| suse | linux_enterprise_server | 9 |
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vsftpd_project | vsftpd | * |
| opensuse | opensuse | 13.2 |
| opensuse | opensuse | 13.1 |
VSFTPD 3.0.3 allows attackers to cause a denial of service due to limited number of connections allowed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| vsftpd_project | vsftpd | 3.0.3 |
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| sendmail | sendmail | * |
| vsftpd_project | vsftpd | * |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
| f5 | nginx | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 33 |