CVE-2011-0418

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:N/I:N/A:P
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
pureftpdpure-ftpd
𝑥
≤ 1.0.31
pureftpdpure-ftpd
0.90
pureftpdpure-ftpd
0.91
pureftpdpure-ftpd
0.92
pureftpdpure-ftpd
0.93
pureftpdpure-ftpd
0.94
pureftpdpure-ftpd
0.95
pureftpdpure-ftpd
0.95-pre1
pureftpdpure-ftpd
0.95-pre2
pureftpdpure-ftpd
0.95-pre3
pureftpdpure-ftpd
0.95-pre4
pureftpdpure-ftpd
0.95.1
pureftpdpure-ftpd
0.95.2
pureftpdpure-ftpd
0.96
pureftpdpure-ftpd
0.96.1
pureftpdpure-ftpd
0.96pre1:pre1
pureftpdpure-ftpd
0.97-final
pureftpdpure-ftpd
0.97.1
pureftpdpure-ftpd
0.97.2
pureftpdpure-ftpd
0.97.3
pureftpdpure-ftpd
0.97.4
pureftpdpure-ftpd
0.97.5
pureftpdpure-ftpd
0.97.6
pureftpdpure-ftpd
0.97.7
pureftpdpure-ftpd
0.97.7pre1:pre1
pureftpdpure-ftpd
0.97.7pre2:pre2
pureftpdpure-ftpd
0.97.7pre3:pre3
pureftpdpure-ftpd
0.97pre1:pre1
pureftpdpure-ftpd
0.97pre2:pre2
pureftpdpure-ftpd
0.97pre3:pre3
pureftpdpure-ftpd
0.97pre4:pre4
pureftpdpure-ftpd
0.97pre5:pre5
pureftpdpure-ftpd
0.98-final
pureftpdpure-ftpd
0.98.1
pureftpdpure-ftpd
0.98.2
pureftpdpure-ftpd
0.98.2a:a
pureftpdpure-ftpd
0.98.3
pureftpdpure-ftpd
0.98.4
pureftpdpure-ftpd
0.98.5
pureftpdpure-ftpd
0.98.6
pureftpdpure-ftpd
0.98.7
pureftpdpure-ftpd
0.98pre1:pre1
pureftpdpure-ftpd
0.98pre2:pre2
pureftpdpure-ftpd
0.99
pureftpdpure-ftpd
0.99.1
pureftpdpure-ftpd
0.99.1a:a
pureftpdpure-ftpd
0.99.1b:b
pureftpdpure-ftpd
0.99.2
pureftpdpure-ftpd
0.99.2a:a
pureftpdpure-ftpd
0.99.3
pureftpdpure-ftpd
0.99.4
pureftpdpure-ftpd
0.99.9
pureftpdpure-ftpd
0.99a:a
pureftpdpure-ftpd
0.99b:b
pureftpdpure-ftpd
0.99pre1:pre1
pureftpdpure-ftpd
0.99pre2:pre2
pureftpdpure-ftpd
1.0.0
pureftpdpure-ftpd
1.0.1
pureftpdpure-ftpd
1.0.2
pureftpdpure-ftpd
1.0.3
pureftpdpure-ftpd
1.0.4
pureftpdpure-ftpd
1.0.5
pureftpdpure-ftpd
1.0.6
pureftpdpure-ftpd
1.0.7
pureftpdpure-ftpd
1.0.8
pureftpdpure-ftpd
1.0.9
pureftpdpure-ftpd
1.0.10
pureftpdpure-ftpd
1.0.11
pureftpdpure-ftpd
1.0.12
pureftpdpure-ftpd
1.0.13a:a
pureftpdpure-ftpd
1.0.14
pureftpdpure-ftpd
1.0.15
pureftpdpure-ftpd
1.0.16a:a
pureftpdpure-ftpd
1.0.16b:b
pureftpdpure-ftpd
1.0.16c:c
pureftpdpure-ftpd
1.0.17
pureftpdpure-ftpd
1.0.17a:a
pureftpdpure-ftpd
1.0.18
pureftpdpure-ftpd
1.0.19
pureftpdpure-ftpd
1.0.20
pureftpdpure-ftpd
1.0.21
pureftpdpure-ftpd
1.0.22
pureftpdpure-ftpd
1.0.24
pureftpdpure-ftpd
1.0.25
pureftpdpure-ftpd
1.0.26
pureftpdpure-ftpd
1.0.27
pureftpdpure-ftpd
1.0.28
pureftpdpure-ftpd
1.0.29
pureftpdpure-ftpd
1.0.30
netbsdnetbsd
5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pure-ftpd
bullseye
1.0.49-4.1
fixed
bookworm
1.0.50-2.1
fixed
sid
1.0.50-2.2
fixed
trixie
1.0.50-2.2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pure-ftpd
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
natty
ignored
maverick
ignored
lucid
ignored
hardy
ignored
dapper
ignored
Common Weakness Enumeration
References
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h
http://securityreason.com/achievement_securityalert/97
http://securityreason.com/securityalert/8228
http://www.mandriva.com/security/advisories?name=MDVSA-2011:094
http://www.pureftpd.org/project/pure-ftpd/news
http://www.securityfocus.com/bid/47671
http://www.vupen.com/english/advisories/2011/1273
https://bugzilla.redhat.com/show_bug.cgi?id=704283
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h
http://securityreason.com/achievement_securityalert/97
http://securityreason.com/securityalert/8228
http://www.mandriva.com/security/advisories?name=MDVSA-2011:094
http://www.pureftpd.org/project/pure-ftpd/news
http://www.securityfocus.com/bid/47671
http://www.vupen.com/english/advisories/2011/1273
https://bugzilla.redhat.com/show_bug.cgi?id=704283