Vulnerability Name:

CVE-2019-18217 (CCN-169692)

Assigned:2019-10-19
Published:2019-10-19
Updated:2019-10-27
Summary:ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-835
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-18217

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2020:0031

Source: CONFIRM
Type: UNKNOWN
https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf

Source: XF
Type: UNKNOWN
proftpd-cve201918217-dos(169692)

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/proftpd/proftpd/blob/1.3.6/NEWS

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/proftpd/proftpd/blob/1.3.6/RELEASE_NOTES

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/proftpd/proftpd/blob/master/NEWS

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES

Source: CCN
Type: ProFTPD GIT Repository
Remote denial-of-service due to issue in network IO handling #846

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://github.com/proftpd/proftpd/issues/846

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20191027 [SECURITY] [DLA 1974-1] proftpd-dfsg security update

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-ae019c7e9f

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-7559f29ace

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-848e410cfb

Source: BUGTRAQ
Type: UNKNOWN
20191106 [SECURITY] [DSA 4559-1] proftpd-dfsg security update

Source: GENTOO
Type: UNKNOWN
GLSA-202003-35

Source: DEBIAN
Type: UNKNOWN
DSA-4559

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-18217

Vulnerable Configuration:Configuration 1:
  • cpe:/a:proftpd:proftpd:*:*:*:*:*:*:*:* (Version <= 1.3.5)
  • OR cpe:/a:proftpd:proftpd:1.3.6:-:*:*:*:*:*:*
  • OR cpe:/a:proftpd:proftpd:1.3.6:a:*:*:*:*:*:*
  • OR cpe:/a:proftpd:proftpd:1.3.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:proftpd:proftpd:1.3.6:rc2:*:*:*:*:*:*
  • OR cpe:/a:proftpd:proftpd:1.3.6:rc3:*:*:*:*:*:*
  • OR cpe:/a:proftpd:proftpd:1.3.6:rc4:*:*:*:*:*:*
  • OR cpe:/a:proftpd:proftpd:1.3.7:rc1:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:proftpd:proftpd:1.3.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201918217
    V
    		CVE-2019-18217
    2022-06-30
    oval:org.opensuse.security:def:113176
    P
    		proftpd-1.3.6e-1.10 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:74757
    P
    		Security update for go1.17 (Moderate)
    2021-12-23
    oval:org.opensuse.security:def:106598
    P
    		proftpd-1.3.6e-1.10 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:64570
    P
    		Security update for java-11-openjdk (Important)
    2021-09-03
    oval:org.opensuse.security:def:93576
    P
    		 (Moderate)
    2021-08-23
    oval:org.opensuse.security:def:63461
    P
    		vpx-tools-1.6.1-6.6.8 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62787
    P
    		libgypsy-devel-0.9-2.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62755
    P
    		gstreamer-plugins-bad-1.16.2-7.22 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62759
    P
    		hplip-3.20.11-2.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62762
    P
    		imlib2-loaders-1.4.10-1.28 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100289
    P
    		 (Moderate)
    2021-06-04
    oval:org.opensuse.security:def:64512
    P
    		Security update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly (Important)
    2021-06-01
    oval:org.opensuse.security:def:64682
    P
    		Security update for avahi (Moderate)
    2021-05-04
    oval:org.opensuse.security:def:74624
    P
    		Security update for spamassassin (Important)
    2021-04-13
    oval:org.opensuse.security:def:63608
    P
    		argyllcms-1.9.2-2.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62965
    P
    		log4j12-javadoc-1.2.17-2.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63258
    P
    		dhcp-relay-4.3.5-6.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:64302
    P
    		libXfont-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64303
    P
    		libXfont2-2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63837
    P
    		Security update for clamav (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64410
    P
    		libykcs11-1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64166
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:110419
    P
    		Security update for proftpd (Moderate)
    2020-01-13
    oval:com.ubuntu.disco:def:2019182170000000
    V
    		CVE-2019-18217 on Ubuntu 19.04 (disco) - medium.
    2019-10-21
    oval:com.ubuntu.bionic:def:2019182170000000
    V
    		CVE-2019-18217 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-10-21
    oval:com.ubuntu.xenial:def:2019182170000000
    V
    		CVE-2019-18217 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-10-21
    BACK
    proftpd proftpd *
    proftpd proftpd 1.3.6 -
    proftpd proftpd 1.3.6 a
    proftpd proftpd 1.3.6 rc1
    proftpd proftpd 1.3.6 rc2
    proftpd proftpd 1.3.6 rc3
    proftpd proftpd 1.3.6 rc4
    proftpd proftpd 1.3.7 rc1
    proftpd proftpd 1.3.6