Heap-based Buffer Overflow in ProFTPD with SQL Module
CVE-2010-4652

Currently unrated

Key Information:

Vendor

Proftpd

Status
Proftpd
Vendor
CVE Published:
2 February 2011

What is CVE-2010-4652?

A heap-based buffer overflow exists in the sql_prepare_where function of ProFTPD when the mod_sql module is enabled, prior to version 1.3.3d. This vulnerability can be exploited by remote attackers who craft specific usernames containing substitution tags. Improper handling of these tags during SQL query construction leads not only to potential service crashes but also to the possibility of executing arbitrary code, posing serious risks to the integrity and availability of affected systems.

References

http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://www.debian.org/security/2011/dsa-2191
vendor-advisoryx_refsource_DEBIAN

EPSS Score

7% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.