ewxrjk sftpserver parse.c sftp_parse_path Privilege Escalation ⚔ [有争议]

ewxrjk sftpserver中曾发现一漏洞, 此漏洞被申报为棘手。 受此漏洞影响的是功能sftp_parse_path文件:parse.c。 手动调试的不合法输入可导致 Privilege Escalation。 漏洞的CWE定义是 CWE-824。 此漏洞的脆弱性 2022-12-18公示人身份bf4032f34832ee11d79aa60a226cc018e7ec5eed、所公布。 分享公告的网址是github.com。 该漏洞被称作为CVE-2020-36617, 攻击只能在局域网内完成。 有技术细节可用。 没有可利用漏洞。 当前漏洞利用价值为美元大约是 $0-$5k。 它被宣布为未定义。 我们估计的零日攻击价值约为$0-$5k。 目前,此漏洞是否真实存在尚存疑惑。 补丁名称为bf4032f34832ee11d79aa60a226cc018e7ec5eed。 错误修复程序下载地址为github.com, 建议采用一个补丁来修正此问题。 该漏洞被披露后,此前未曾发表过可能的缓解措施。

字段2022-12-18 15時56分2023-01-15 09時22分2023-01-15 09時27分
vendorewxrjkewxrjkewxrjk
namesftpserversftpserversftpserver
fileparse.cparse.cparse.c
functionsftp_parse_pathsftp_parse_pathsftp_parse_path
cwe824824824
risk111
cvss3_vuldb_acHHH
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
identifierbf4032f34832ee11d79aa60a226cc018e7ec5eedbf4032f34832ee11d79aa60a226cc018e7ec5eedbf4032f34832ee11d79aa60a226cc018e7ec5eed
urlhttps://github.com/ewxrjk/sftpserver/commit/bf4032f34832ee11d79aa60a226cc018e7ec5eedhttps://github.com/ewxrjk/sftpserver/commit/bf4032f34832ee11d79aa60a226cc018e7ec5eedhttps://github.com/ewxrjk/sftpserver/commit/bf4032f34832ee11d79aa60a226cc018e7ec5eed
disputed111
name补丁补丁补丁
patch_namebf4032f34832ee11d79aa60a226cc018e7ec5eedbf4032f34832ee11d79aa60a226cc018e7ec5eedbf4032f34832ee11d79aa60a226cc018e7ec5eed
patch_urlhttps://github.com/ewxrjk/sftpserver/commit/bf4032f34832ee11d79aa60a226cc018e7ec5eedhttps://github.com/ewxrjk/sftpserver/commit/bf4032f34832ee11d79aa60a226cc018e7ec5eedhttps://github.com/ewxrjk/sftpserver/commit/bf4032f34832ee11d79aa60a226cc018e7ec5eed
cveCVE-2020-36617CVE-2020-36617CVE-2020-36617
responsibleVulDBVulDBVulDB
response_summaryIn some deployment models this would be a vulnerability. README specifically warns about avoiding such deployment models.In some deployment models this would be a vulnerability. README specifically warns about avoiding such deployment models.In some deployment models this would be a vulnerability. README specifically warns about avoiding such deployment models.
date1671318000 (2022-12-18)1671318000 (2022-12-18)1671318000 (2022-12-18)
cvss2_vuldb_acHHH
cvss2_vuldb_rcCCC
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_avAAA
cvss2_vuldb_auSSS
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_vuldb_eNDNDND
cvss3_vuldb_avAAA
cvss3_vuldb_prLLL
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_vuldb_eXXX
cvss2_vuldb_basescore4.04.04.0
cvss2_vuldb_tempscore3.53.53.5
cvss3_vuldb_basescore4.64.64.6
cvss3_vuldb_tempscore4.44.44.4
cvss3_meta_basescore4.64.66.3
cvss3_meta_tempscore4.44.46.3
price_0day$0-$5k$0-$5k$0-$5k
cve_assigned1671318000 (2022-12-18)1671318000 (2022-12-18)
cve_nvd_summary** DISPUTED ** A vulnerability was found in ewxrjk sftpserver. It has been declared as problematic. Affected by this vulnerability is the function sftp_parse_path of the file parse.c. The manipulation leads to uninitialized pointer. The real existence of this vulnerability is still doubted at the moment. The name of the patch is bf4032f34832ee11d79aa60a226cc018e7ec5eed. It is recommended to apply a patch to fix this issue. The identifier VDB-216205 was assigned to this vulnerability. NOTE: In some deployment models this would be a vulnerability. README specifically warns about avoiding such deployment models.** DISPUTED ** A vulnerability was found in ewxrjk sftpserver. It has been declared as problematic. Affected by this vulnerability is the function sftp_parse_path of the file parse.c. The manipulation leads to uninitialized pointer. The real existence of this vulnerability is still doubted at the moment. The name of the patch is bf4032f34832ee11d79aa60a226cc018e7ec5eed. It is recommended to apply a patch to fix this issue. The identifier VDB-216205 was assigned to this vulnerability. NOTE: In some deployment models this would be a vulnerability. README specifically warns about avoiding such deployment models.
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss3_cna_avA
cvss3_cna_acH
cvss3_cna_prL
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cL
cvss3_cna_iL
cvss3_cna_aL
cve_cnaVulDB
cvss3_nvd_basescore9.8
cvss3_cna_basescore4.6

上一步一览下一步

Interested in the pricing of exploits?

See the underground prices here!