CVE-2011-0762

Publication date 2 March 2011

Last updated 24 July 2024

Ubuntu priority

The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
vsftpd	10.10 maverick	Fixed 2.3.0~pre2-4ubuntu2.2
	10.04 LTS lucid	Fixed 2.2.2-3ubuntu6.1
	9.10 karmic	Fixed 2.2.0-1ubuntu2.1
	8.04 LTS hardy	Fixed 2.0.6-1ubuntu1.2
	6.06 LTS dapper	Fixed 2.0.4-0ubuntu4.1

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

PoC: http://www.exploit-db.com/exploits/16270/ PoC: http://cxib.net/stuff/vspoc232.c

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1098-1
vsftpd vulnerability
29 March 2011

Other references

https://www.cve.org/CVERecord?id=CVE-2011-0762