CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40524
https://notcve.org/view.php?id=CVE-2021-40524
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.) En Pure-FTPd antes de la versión 1.0.50, un mecanismo incorrecto de cuota max_filesize en el servidor permite a los atacantes subir archivos de tamaño no limitado, lo que puede llevar a la denegación de servicio o a la caída del servidor. Esto ocurre porque una determinada prueba mayor que cero no anticipa un valor inicial de -1. • https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4 https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50 https://github.com/jedisct1/pure-ftpd/pull/158 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2020-9274
https://notcve.org/view.php?id=CVE-2020-9274
An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c. Se detectó un problema en Pure-FTPd versión 1.0.49. • https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa https://lists.debian.org/debian-lts-announce/2020/02/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22P44PECZWNDP7CMBL7NRBMNFS73C5Z2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5NSUDWXZVWUCL6R2PTX3KBB42Z62CA5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5DBVHJCXWRSJPNJQCJQCKZF6ZDPZCKA https://security.gentoo.org&#x • CWE-824: Access of Uninitialized Pointer •
CVSS: 4.0EPSS: 4%CPEs: 90EXPL: 3CVE-2011-0418 – FreeBSD 9.1 - 'ftpd' Remote Denial of Service
https://notcve.org/view.php?id=CVE-2011-0418
The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command. La implementación del comando glob de Pure-FTPd en versiones anteriores a 1.0.32, y en libc de NetBSD 5.1, no expande apropiadamente las expresiones que contienen llaves, lo que permite a usuarios autenticados remotos provocar una denegación de servicio (consumo de toda la memoria) a través de un comando FTP STAT modificado. Multiple vendors are affected by a memory exhaustion vulnerability in libc/glob(3) GLOB_BRACE|GLOB_LIMIT. • https://www.exploit-db.com/exploits/24450 http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28 http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h http://securityreason.com/achievement_securityalert/97 http://securityreason.com/securityalert/8228 http://www.mandriva.com/security/advisories?name=MDVSA-2011:094 http://www.pureftpd.org/project/pure-ftpd/news http://www.securityfocus.com/bid/47671 http://www.vupen.com • CWE-20: Improper Input Validation •