CVE-2020-9273 Common Vulnerabilities and Exposures

Upstream information

CVE-2020-9273 at MITRE

Description

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	9
Vector	AV:N/AC:L/Au:S/C:C/I:C/A:C
Access Vector	Network
Access Complexity	Low
Authentication	Single
Confidentiality Impact	Complete
Integrity Impact	Complete
Availability Impact	Complete

CVSS v3 Scores
	National Vulnerability Database
Base Score	8.8
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1164574 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2020:0273-1, published Thu Dec 7 12:55:39 2023

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 15 SP1	`proftpd >= 1.3.6c-bp151.4.9.1` `proftpd-devel >= 1.3.6c-bp151.4.9.1` `proftpd-doc >= 1.3.6c-bp151.4.9.1` `proftpd-lang >= 1.3.6c-bp151.4.9.1` `proftpd-ldap >= 1.3.6c-bp151.4.9.1` `proftpd-mysql >= 1.3.6c-bp151.4.9.1` `proftpd-pgsql >= 1.3.6c-bp151.4.9.1` `proftpd-radius >= 1.3.6c-bp151.4.9.1` `proftpd-sqlite >= 1.3.6c-bp151.4.9.1`	Patchnames: openSUSE-2020-273
SUSE Package Hub 15	`proftpd >= 1.3.6c-bp150.3.9.1` `proftpd-devel >= 1.3.6c-bp150.3.9.1` `proftpd-doc >= 1.3.6c-bp150.3.9.1` `proftpd-lang >= 1.3.6c-bp150.3.9.1` `proftpd-ldap >= 1.3.6c-bp150.3.9.1` `proftpd-mysql >= 1.3.6c-bp150.3.9.1` `proftpd-pgsql >= 1.3.6c-bp150.3.9.1` `proftpd-radius >= 1.3.6c-bp150.3.9.1` `proftpd-sqlite >= 1.3.6c-bp150.3.9.1`	Patchnames: openSUSE-2020-273
openSUSE Leap 15.1	`proftpd >= 1.3.6c-lp151.3.9.1` `proftpd-devel >= 1.3.6c-lp151.3.9.1` `proftpd-doc >= 1.3.6c-lp151.3.9.1` `proftpd-lang >= 1.3.6c-lp151.3.9.1` `proftpd-ldap >= 1.3.6c-lp151.3.9.1` `proftpd-mysql >= 1.3.6c-lp151.3.9.1` `proftpd-pgsql >= 1.3.6c-lp151.3.9.1` `proftpd-radius >= 1.3.6c-lp151.3.9.1` `proftpd-sqlite >= 1.3.6c-lp151.3.9.1`	Patchnames: openSUSE-2020-273
openSUSE Tumbleweed	`proftpd >= 1.3.6e-1.10` `proftpd-devel >= 1.3.6e-1.10` `proftpd-doc >= 1.3.6e-1.10` `proftpd-lang >= 1.3.6e-1.10` `proftpd-ldap >= 1.3.6e-1.10` `proftpd-mysql >= 1.3.6e-1.10` `proftpd-pgsql >= 1.3.6e-1.10` `proftpd-radius >= 1.3.6e-1.10` `proftpd-sqlite >= 1.3.6e-1.10`	Patchnames: openSUSE-Tumbleweed-2024-11196

SUSE Timeline for this CVE

CVE page created: Fri Feb 21 15:55:29 2020
CVE page last modified: Tue Oct 15 11:35:52 2024