Description
options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5
Exploit, Issue Tracking, Mailing List, Third Party Advisory x_refsource_misc
https://bugs.debian.org/1004974
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/05/msg00040.html
Scores
CVSS v3
5.3
EPSS
0.0012
EPSS Percentile
30.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-125
Status
published
Products (4)
atftp_project/atftp
< 0.7.5
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
Published
Feb 04, 2022
Tracked Since
Feb 18, 2026