CVE-2020-9273 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-9273 PUBLISHED

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.

EPSS 68.94% · 98.6th percentile

Risk Scores

EPSS Score

68.94%

98.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	proftpd-dfsg	0, 1.3.5-2, 1.3.5a-1
Ubuntu:18.04:LTS	proftpd-dfsg	0, 1.3.5d-1, 1.3.5e-1build1

Timeline

Feb 20, 2020 CVE Published
Apr 14, 2021 EPSS Score
Aug 11, 2021 EPSS Score
Aug 26, 2021 EPSS Score
Sep 7, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 9, 2023 EPSS Score
May 24, 2023 EPSS Score
Nov 8, 2023 EPSS Score
Aug 4, 2024 CVE Updated

References

https://ubuntu.com/security/CVE-2020-9273 third-party-advisory
https://github.com/proftpd/proftpd/issues/903 third-party-advisory
https://github.com/proftpd/proftpd/commit/d388f7904d4c9a6d0ea54237b8b54a57c19d8d49 third-party-advisory
https://github.com/proftpd/proftpd/commit/e845abc1bd86eebec7a0342fded908a1b0f1996b third-party-advisory
https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-9273 third-party-advisory

Open in Interactive Console →