CVE-2020-9274

HIGH EPSS 92.2%
Published Feb 26, 20206y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 26, 2020 6y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
92.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-824

Affected Products 9

VendorProductVersionRange
pureftpdpure-ftpd* <1.0.50
debiandebian_linux8.0any
fedoraprojectextra_packages_for_enterprise_linux7.0any
fedoraprojectextra_packages_for_enterprise_linux8.0any
fedoraprojectfedora30any
fedoraprojectfedora31any
fedoraprojectfedora32any
debiandebian_linux8.0any
canonicalubuntu_linux16.04any

References 8

  • github.com https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
    PatchThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2020/02/msg00029.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22P44PECZWNDP7CMBL7NRBMNFS73C5Z2/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5NSUDWXZVWUCL6R2PTX3KBB42Z62CA5/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5DBVHJCXWRSJPNJQCJQCKZF6ZDPZCKA/
  • security.gentoo.org https://security.gentoo.org/glsa/202003-54
    Third Party Advisory
  • usn.ubuntu.com https://usn.ubuntu.com/4515-1/
    Third Party Advisory
  • pureftpd.org https://www.pureftpd.org/project/pure-ftpd/news/
    Vendor Advisory

Remediation

  • github.com https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
    PatchThird Party Advisory