Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-193,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freebsd | freebsd | * |
| openbsd | openbsd | * |
| apple | mac_os_x_server | 10.2.6 |
| apple | mac_os_x | 10.2.6 |
| wuftpd | wu-ftpd | * |
| sun | solaris | 9.0 |
| redhat | wu_ftpd | 2.6.1-16 |
| netbsd | netbsd | * |