CVE-2013-4359 - Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to ca

CVE-2013-4359

Summary

Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authentication request, which triggers a large memory allocation.

References

Vulnerable Configurations

cpe:2.3:a:proftpd:proftpd:1.3.4:d:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.4:d:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.5:rc3:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.5:rc3:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 31-12-2016 - 02:59)
Impact:
Exploitability:

CWE

CWE-189

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

refmap via4

confirm	http://bugs.proftpd.org/show_bug.cgi?id=3973
debian	DSA-2767
misc	http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/
mlist	[oss-security] 20130916 Re: CVE request: proftpd: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication
suse	openSUSE-SU-2013:1563 openSUSE-SU-2015:1031

Last major update

31-12-2016 - 02:59

Published

30-09-2013 - 21:55

Last modified

31-12-2016 - 02:59