CVE-2020-9274

HIGH NUCLEI

Pure-FTPd < 1.0.50 - Use-After-Free in diraliases Linked List

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-9274 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.

Nuclei Templates (1)

Pure-FTPd ≤ 1.0.49 - DoS via Uninitialized Pointer
HIGHVERIFIEDby pussycat0x
Shodan: product:"pure-ftpd" version:"1.0.49" || cpe:"cpe:2.3:a:pureftpd:pure-ftpd"

References (8)

Core 8
Core References
Vendor Advisory x_refsource_misc
https://www.pureftpd.org/project/pure-ftpd/news/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/02/msg00029.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-54
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4515-1/

Scores

CVSS v3 7.5
EPSS 0.0581
EPSS Percentile 92.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-824
Status published
Products (8)
canonical/ubuntu_linux 16.04
debian/debian_linux 8.0
fedoraproject/extra_packages_for_enterprise_linux 7.0
fedoraproject/extra_packages_for_enterprise_linux 8.0
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
pureftpd/pure-ftpd < 1.0.50
Published Feb 26, 2020
Tracked Since Feb 18, 2026