Upstream information
Description
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| National Vulnerability Database | SUSE | |
|---|---|---|
| Base Score | 7.5 | 6.8 |
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network | Network |
| Access Complexity | Low | Medium |
| Authentication | None | None |
| Confidentiality Impact | Partial | Partial |
| Integrity Impact | Partial | Partial |
| Availability Impact | Partial | Partial |
SUSE Security Advisories:
- openSUSE-SU-2014:1383-1
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Leap 15.0 |
| Patchnames: openSUSE Leap 15.0 GA tnftp-20151004-lp150.1.9 |
| openSUSE Leap 15.2 |
| Patchnames: openSUSE Leap 15.2 GA tnftp-20151004-lp152.3.3 |
| openSUSE Leap 15.3 |
| Patchnames: openSUSE Leap 15.3 GA tnftp-20151004-bp153.1.16 |
| openSUSE Leap 15.4 |
| Patchnames: openSUSE Leap 15.4 GA tnftp-20151004-bp154.2.20 |
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2024-10306 |
SUSE Timeline for this CVE
CVE page created: Wed Oct 29 06:38:53 2014CVE page last modified: Sat Jun 15 22:22:18 2024