CVE-2011-0418 — Vulnetix

CVE-2011-0418 PUBLISHED CVSS 4 MEDIUM

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.

EPSS 12.28% · 94.0th percentile

Risk Scores

CVSS 2.0

EPSS Score

12.28%

94.0th percentile

Affected Products

Vendor	Product	Versions
netbsd	netbsd	5.1
pureftpd	pure-ftpd	0, 0.90, 0.91
n/a	n/a	n/a

Exploit Intelligence

http://securityreason.com/achievement_securityalert/97 (nist-nvd)
http://www.securityfocus.com/bid/47671 (nist-nvd)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28 (circl)
ADV-2011-1273 (circl)
MDVSA-2011:094 (circl)
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h (circl)
https://bugzilla.redhat.com/show_bug.cgi?id=704283 (circl)
8228 (circl)
http://www.pureftpd.org/project/pure-ftpd/news (circl)
libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service) - Multiple dos Exploit (variot)

…and 13 more exploits

Timeline

Oct 6, 2010 PoC Published
May 24, 2011 CVE Published
Feb 5, 2013 PoC Published
Feb 4, 2022 EPSS Score
Mar 29, 2022 EPSS Score
Jul 12, 2022 EPSS Score
Sep 4, 2022 EPSS Score
Oct 26, 2022 EPSS Score
Feb 9, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 2, 2023 EPSS Score
Jul 17, 2023 EPSS Score

References

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c#rev1.28 url
ADV-2011-1273 vdb
MDVSA-2011:094 vendor-advisory
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=1.27&r2=1.28&f=h url
https://bugzilla.redhat.com/show_bug.cgi?id=704283 url
47671 vdb
20110502 Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory exhaustion third-party-advisory
8228 third-party-advisory
http://www.pureftpd.org/project/pure-ftpd/news url
https://nvd.nist.gov/vuln/detail/CVE-2011-0418 advisory

Open in Interactive Console →