This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Proftpd First view 2013-01-24
Product Proftpd Last view 2019-11-30
Version 1.3.4 Type Application
Update rc3  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:proftpd:proftpd

Activity : Overall

Related : CVE

  Date Alert Description
4.9 2019-11-30 CVE-2019-19269

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

7.5 2019-11-26 CVE-2019-19272

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Direct dereference of a NULL pointer (a variable initialized to NULL) leads to a crash when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

7.5 2019-11-26 CVE-2019-19271

An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A wrong iteration variable, used when checking a client certificate against CRL entries (installed by a system administrator), can cause some CRL entries to be ignored, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

7.5 2019-11-26 CVE-2019-19270

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.

7.5 2019-10-21 CVE-2019-18217

ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.

9.8 2019-07-19 CVE-2019-12815

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

5.5 2017-04-04 CVE-2017-7418

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

7.5 2016-04-05 CVE-2016-3125

The mod_tls module in ProFTPD before 1.3.5b and 1.3.6 before 1.3.6rc2 does not properly handle the TLSDHParamFile directive, which might cause a weaker than intended Diffie-Hellman (DH) key to be used and consequently allow attackers to have unspecified impact via unknown vectors.

1.2 2013-01-24 CVE-2012-6095

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.

CWE : Common Weakness Enumeration

%idName
22% (2) CWE-476 NULL Pointer Dereference
22% (2) CWE-295 Certificate Issues
11% (1) CWE-755 Improper Handling of Exceptional Conditions
11% (1) CWE-362 Race Condition
11% (1) CWE-310 Cryptographic Issues
11% (1) CWE-254 Security Features
11% (1) CWE-59 Improper Link Resolution Before File Access ('Link Following')

Nessus® Vulnerability Scanner

id Description
2017-07-28 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_770d7e9172af11e7998a08606e47f965.nasl - Type: ACT_GATHER_INFO
2017-07-17 Name: The remote Fedora host is missing a security update.
File: fedora_2017-5a01498b4b.nasl - Type: ACT_GATHER_INFO
2017-04-24 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2017-112-03.nasl - Type: ACT_GATHER_INFO
2017-04-20 Name: The remote Fedora host is missing a security update.
File: fedora_2017-c6f424c3ff.nasl - Type: ACT_GATHER_INFO
2017-04-19 Name: The remote Fedora host is missing a security update.
File: fedora_2017-e15e37b689.nasl - Type: ACT_GATHER_INFO
2017-04-18 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2017-481.nasl - Type: ACT_GATHER_INFO
2016-06-14 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2016-713.nasl - Type: ACT_GATHER_INFO
2016-05-20 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2016-603.nasl - Type: ACT_GATHER_INFO
2016-04-21 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_a733b5ca06eb11e6817f3085a9a4510d.nasl - Type: ACT_GATHER_INFO
2016-03-28 Name: The remote Fedora host is missing a security update.
File: fedora_2016-ac3587be9a.nasl - Type: ACT_GATHER_INFO
2016-03-21 Name: The remote Fedora host is missing a security update.
File: fedora_2016-f95d8ea3ad.nasl - Type: ACT_GATHER_INFO
2016-03-21 Name: The remote Fedora host is missing a security update.
File: fedora_2016-977d57cf2d.nasl - Type: ACT_GATHER_INFO
2015-01-19 Name: The remote Solaris system is missing a security patch for third-party software.
File: solaris11_proftpd_20130924.nasl - Type: ACT_GATHER_INFO
2013-09-25 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201309-15.nasl - Type: ACT_GATHER_INFO
2013-06-24 Name: The remote FTP server is affected by an arbitrary file overwrite vulnerability.
File: proftpd_mkd_xmkd_file_overwrite.nasl - Type: ACT_GATHER_INFO
2013-04-20 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2013-053.nasl - Type: ACT_GATHER_INFO
2013-01-31 Name: The remote Fedora host is missing a security update.
File: fedora_2013-0483.nasl - Type: ACT_GATHER_INFO
2013-01-31 Name: The remote Fedora host is missing a security update.
File: fedora_2013-0468.nasl - Type: ACT_GATHER_INFO
2013-01-31 Name: The remote Fedora host is missing a security update.
File: fedora_2013-0437.nasl - Type: ACT_GATHER_INFO
2013-01-14 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-2606.nasl - Type: ACT_GATHER_INFO