Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Proftpd
(Proftpd)Repositories | https://github.com/proftpd/proftpd |
#Vulnerabilities | 27 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2022-11-23 | CVE-2021-46854 | mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters. | Proftpd | 7.5 | ||
2020-02-20 | CVE-2020-9272 | ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mod_cap via the cap_text.c cap_to_text function. | Backports_sle, Leap, Proftpd, Simatic_net_cp_1543\-1_firmware, Simatic_net_cp_1545\-1_firmware | 7.5 | ||
2015-05-18 | CVE-2015-3306 | The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. | Proftpd | N/A | ||
2019-11-26 | CVE-2019-19272 | An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup. | Proftpd | N/A | ||
2019-11-26 | CVE-2019-19271 | An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server. | Proftpd | N/A | ||
2017-04-04 | CVE-2017-7418 | ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a... | Proftpd | 5.5 | ||
2016-04-05 | CVE-2016-3125 | The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors. | Fedora, Opensuse, Proftpd | 7.5 | ||
2013-09-30 | CVE-2013-4359 | Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authentication request, which triggers a large memory allocation. | Proftpd | N/A | ||
2013-01-24 | CVE-2012-6095 | ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands. | Proftpd | N/A | ||
2011-12-06 | CVE-2011-4130 | Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer. | Proftpd | N/A |