Description
In uftpd before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/troglobit/uftpd/security/advisories/GHSA-wrpr-xw7q-9wvq
Patch, Third Party Advisory x_refsource_misc
https://github.com/troglobit/uftpd/commit/0fb2c031ce0ace07cc19cd2cb2143c4b5a63c9dd
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00034.html
Scores
CVSS v3
6.5
EPSS
0.0069
EPSS Percentile
71.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Details
CWE
CWE-121
CWE-120
Status
published
Products (1)
troglobit/uftpd
< 2.11
Published
Jan 06, 2020
Tracked Since
Feb 18, 2026