Vulnerability Name:

CVE-2004-0432 (CCN-16038)

Assigned:2004-05-03
Published:2004-05-03
Updated:2017-07-11
Summary:ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clients to bypass intended access restrictions.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: ProFTPD Web page
Bug 2267 - Broken IP subnet matching

Source: CONFIRM
Type: UNKNOWN
http://bugs.proftpd.org/show_bug.cgi?id=2267

Source: MITRE
Type: CNA
CVE-2004-0432

Source: TRUSTIX
Type: UNKNOWN
2004-0025

Source: BUGTRAQ
Type: UNKNOWN
20040430 [OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd)

Source: CCN
Type: SA11527
ProFTPD CIDR Addressing ACL and "site chgrp" Security Issues

Source: SECUNIA
Type: UNKNOWN
11527

Source: CCN
Type: GLSA-200405-09
ProFTPD Access Control List bypass vulnerability

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2004:041

Source: CCN
Type: OpenPKG-SA-2004.018
ProFTPD

Source: CCN
Type: OSVDB ID: 5744
ProFTPD CIDR IP Subnet ACL Bypass

Source: BID
Type: Patch, Vendor Advisory
10252

Source: CCN
Type: BID-10252
ProFTPD CIDR Access Control Rule Bypass Vulnerability

Source: CCN
Type: TLSA-2009-16
CIDR based ACL vulnerability

Source: XF
Type: UNKNOWN
proftpd-cidr-acl-bypass(16038)

Source: XF
Type: UNKNOWN
proftpd-cidr-acl-bypass(16038)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:proftpd_project:proftpd:1.2.9:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:gentoo:linux:0.5:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:0.7:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:1.1a:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:1.2:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:1.4:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:1.4:rc1:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:1.4:rc2:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:1.4:rc3:*:*:*:*:*:*
  • OR cpe:/o:trustix:secure_linux:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:trustix:secure_linux:2.1:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:proftpd:proftpd:1.2.9:*:*:*:*:*:*:*
  • AND
  • cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:*
  • OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:openpkg:openpkg:2.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    proftpd_project proftpd 1.2.9
    gentoo linux 0.5
    gentoo linux 0.7
    gentoo linux 1.1a
    gentoo linux 1.2
    gentoo linux 1.4
    gentoo linux 1.4 rc1
    gentoo linux 1.4 rc2
    gentoo linux 1.4 rc3
    trustix secure linux 2.0
    trustix secure linux 2.1
    proftpd proftpd 1.2.9
    openpkg openpkg current
    gentoo linux *
    openpkg openpkg 1.3
    openpkg openpkg 2.0