CVE-2013-5211

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
opensuseopensuse
11.4
ntpntp
𝑥
< 4.2.7
ntpntp
4.2.7
ntpntp
4.2.7:p0
ntpntp
4.2.7:p1
ntpntp
4.2.7:p10
ntpntp
4.2.7:p11
ntpntp
4.2.7:p12
ntpntp
4.2.7:p13
ntpntp
4.2.7:p14
ntpntp
4.2.7:p15
ntpntp
4.2.7:p16
ntpntp
4.2.7:p17
ntpntp
4.2.7:p18
ntpntp
4.2.7:p19
ntpntp
4.2.7:p2
ntpntp
4.2.7:p20
ntpntp
4.2.7:p21
ntpntp
4.2.7:p22
ntpntp
4.2.7:p23
ntpntp
4.2.7:p24
ntpntp
4.2.7:p25
ntpntp
4.2.7:p3
ntpntp
4.2.7:p4
ntpntp
4.2.7:p5
ntpntp
4.2.7:p6
ntpntp
4.2.7:p7
ntpntp
4.2.7:p8
ntpntp
4.2.7:p9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ntp
bullseye
1:4.2.8p15+dfsg-1
fixed
jessie
no-dsa
squeeze
no-dsa
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ntp
lucid
ignored
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ntp
Amazon Linux 1
0:4.2.8p11-1.37.amzn1
fixed
Amazon Linux 2
0:4.2.8p15-3.amzn2.0.4
fixed
ntp-debuginfo
Amazon Linux 1
0:4.2.8p11-1.37.amzn1
fixed
Amazon Linux 2
0:4.2.8p15-3.amzn2.0.4
fixed
ntp-doc
Amazon Linux 1
0:4.2.8p11-1.37.amzn1
fixed
Amazon Linux 2
0:4.2.8p15-3.amzn2.0.4
fixed
ntp-perl
Amazon Linux 1
0:4.2.8p11-1.37.amzn1
fixed
Amazon Linux 2
0:4.2.8p15-3.amzn2.0.4
fixed
ntpdate
Amazon Linux 1
0:4.2.8p11-1.37.amzn1
fixed
Amazon Linux 2
0:4.2.8p15-3.amzn2.0.4
fixed
sntp
Amazon Linux 2
0:4.2.8p15-3.amzn2.0.4
fixed
References