CVE-2019-19269
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 26 Nov 2019, 03:34
Last modified:05 Aug 2024, 02:09
Vulnerability Summary
Overall Risk (default)
low
20/100 CVSS Score
4.9 MEDIUM
v3.1 (nvd)
EPSS Score
1.03% LOW
1% probability -0.75%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
26 Nov 2019, 03:34
Published
Vulnerability first disclosed
05 Aug 2024, 02:09
Last Modified
Vulnerability information updated
Description
An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 1.03%• Percentile: 78%
Techniques & Countermeasures
- CWE-476•NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Systems
- debian•debian_linux
8.0
- fedoraproject•fedora
30 | 31
- proftpd•proftpd
≤ 1.3.5e | 1.3.6 | 1.3.6:alpha | 1.3.6:beta | 1.3.6:rc1 | 1.3.6:rc2 | 1.3.6:rc3 | 1.3.6:rc4
References (7)
- https://github.com/proftpd/proftpd/issues/861
- https://lists.debian.org/debian-lts-announce/2019/11/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGBBCPLJSDPFG5EI5P5G7P4KEX7YSD5G/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QR65XUHPCRU3NXTSFVF2J4GWRIHC7AHW/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
- https://security.gentoo.org/glsa/202003-35
- https://www.oracle.com/security-alerts/cpuapr2020.html