CVE-2021-40524
https://notcve.org/view.php?id=CVE-2021-40524
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.) En Pure-FTPd antes de la versión 1.0.50, un mecanismo incorrecto de cuota max_filesize en el servidor permite a los atacantes subir archivos de tamaño no limitado, lo que puede llevar a la denegación de servicio o a la caída del servidor. Esto ocurre porque una determinada prueba mayor que cero no anticipa un valor inicial de -1. • https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4 https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50 https://github.com/jedisct1/pure-ftpd/pull/158 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-35359
https://notcve.org/view.php?id=CVE-2020-35359
Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server use by making enough connections to exceed the connection limit. Pure-FTPd versión 1.0.48, permite a atacantes remotos impedir el uso legítimo del servidor haciendo suficientes conexiones para exceder el límite de conexiones • https://www.exploit-db.com/exploits/49105 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2020-9274
https://notcve.org/view.php?id=CVE-2020-9274
An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c. Se detectó un problema en Pure-FTPd versión 1.0.49. • https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa https://lists.debian.org/debian-lts-announce/2020/02/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22P44PECZWNDP7CMBL7NRBMNFS73C5Z2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5NSUDWXZVWUCL6R2PTX3KBB42Z62CA5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5DBVHJCXWRSJPNJQCJQCKZF6ZDPZCKA https://security.gentoo.org • CWE-824: Access of Uninitialized Pointer •