4.9

CVE-2019-19269

An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.

Data is provided by the National Vulnerability Database (NVD)
ProftpdProftpd Version <= 1.3.5e
ProftpdProftpd Version1.3.6 Update-
ProftpdProftpd Version1.3.6 Updatealpha
ProftpdProftpd Version1.3.6 Updatebeta
ProftpdProftpd Version1.3.6 Updaterc1
ProftpdProftpd Version1.3.6 Updaterc2
ProftpdProftpd Version1.3.6 Updaterc3
ProftpdProftpd Version1.3.6 Updaterc4
FedoraprojectFedora Version30
FedoraprojectFedora Version31
DebianDebian Linux Version8.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.78% 0.821
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:N/I:N/A:P
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.