TLS Verification Issues in ProFTPD by ProFTPD Project
CVE-2019-19270

7.5HIGH

Key Information:

Vendor

Proftpd

Status
Proftpd
Vendor
CVE Published:
26 November 2019

What is CVE-2019-19270?

A vulnerability in the ProFTPD server's TLS implementation allows for improper processing of Certificate Revocation Lists (CRLs). Specifically, the function responsible for verifying CRLs fails to adequately check the necessary fields, mistakenly verifying revocation status based solely on the subject of the certificate. As a result, clients with revoked certificates may be permitted to establish connections with the server, potentially exposing sensitive data and compromising server integrity.

References

https://github.com/proftpd/proftpd/issues/859
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.