CVE-2019-11365
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in atftpd in atftp 0.7.1. A remote attacker may send a crafted packet triggering a stack-based buffer overflow due to an insecurely implemented strncpy call. The vulnerability is triggered by sending an error packet of 3 bytes or fewer. There are multiple instances of this vulnerable strncpy pattern within the code base, specifically within tftpd_file.c, tftp_file.c, tftpd_mtftp.c, and tftp_mtftp.c.
Fue encontrado un problema en atftpd en atftp versión 0.7.1. Un atacante remoto puede enviar un paquete creado activando un desbordamiento de búfer en la region stak de memoria debido a una llamada de Strncpy implementada de forma no segura. La vulnerabilidad se activa al enviar un paquete de error de 3 bytes o menos. se presenta multiples peticiones de este patrón vulnerable strncpy dentro de la base de código, específicamente dentro de tftpd_file.c, tftp_file.c, tftpd_mtftp.c, y tftp_mtftp.c.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-04-20 CVE Reserved
- 2019-04-20 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-20 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-787: Out-of-bounds Write
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2019/05/msg00012.html | Mailing List | |
https://seclists.org/bugtraq/2019/May/16 | Mailing List |
URL | Date | SRC |
---|---|---|
https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities | 2024-08-04 |
URL | Date | SRC |
---|---|---|
https://sourceforge.net/p/atftp/code/ci/abed7d245d8e8bdfeab24f9f7f55a52c3140f96b | 2020-09-28 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202003-14 | 2020-09-28 | |
https://usn.ubuntu.com/4540-1 | 2020-09-28 | |
https://www.debian.org/security/2019/dsa-4438 | 2020-09-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Atftp Project Search vendor "Atftp Project" | Atftp Search vendor "Atftp Project" for product "Atftp" | 0.7.1 Search vendor "Atftp Project" for product "Atftp" and version "0.7.1" | - |
Affected
|