CVE-2019-19270
HIGHProFTPD <= 1.3.6b - Improper Certificate Validation in CRL Entry Check
Title source: llmDescription
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Failure to check for the appropriate field of a CRL entry (checking twice for subject, rather than once for subject and once for issuer) prevents some valid CRLs from being taken into account, and can allow clients whose certificates have been revoked to proceed with a connection to the server.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/proftpd/proftpd/issues/859
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
Scores
CVSS v3
7.5
EPSS
0.0101
EPSS Percentile
58.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-295
Status
published
Products (4)
fedoraproject/fedora
30
fedoraproject/fedora
31
proftpd/proftpd
1.3.6 (3 CPE variants)
proftpd/proftpd
< 1.3.5
Published
Nov 26, 2019
Tracked Since
Feb 18, 2026