CVE-2006-6171 : ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the config

ProFTPD 1.3.0a and earlier does not properly set the buffer size limit when CommandBufferSize is specified in the configuration file, which leads to an off-by-two buffer underflow. NOTE: in November 2006, the role of CommandBufferSize was originally associated with CVE-2006-5815, but this was an error stemming from a vague initial disclosure. NOTE: ProFTPD developers dispute this issue, saying that the relevant memory location is overwritten by assignment before further use within the affected function, so this is not a vulnerability

Published 2006-11-30 15:28:00

Updated 2024-04-11 00:41:19

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2006-6171

Probability of exploitation activity in the next 30 days: 1.56%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2006-6171

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

References for CVE-2006-6171

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820

214820 – (CVE-2006-5815) CVE-2006-5815: proftpd unspecified vulnerability
Vendor Advisory

CVEs referencing this url
http://www.trustix.org/errata/2006/0070

Trustix | Empowering Trust and Security in the Digital Age

CVEs referencing this url
http://secunia.com/advisories/23207

About Secunia Research | Flexera
http://www.mandriva.com/security/advisories?name=MDKSA-2006:217-1

Advisories - Mandriva Linux

CVEs referencing this url
http://www.gentoo.org/security/en/glsa/glsa-200611-26.xml

ProFTPD: Remote execution of arbitrary code (GLSA 200611-26) — Gentoo security

CVEs referencing this url
http://www.debian.org/security/2006/dsa-1222

[SECURITY] [DSA 1222-1] New proftpd packages fix several vulnerabilities

CVEs referencing this url
http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.035.html
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date

CVS Info for project proftp
Vendor Advisory
http://www.debian.org/security/2006/dsa-1218

Debian -- The Universal Operating System
http://secunia.com/advisories/23329

About Secunia Research | Flexera
http://secunia.com/advisories/23184

About Secunia Research | Flexera
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.502491

CVEs referencing this url
http://secunia.com/advisories/23174

About Secunia Research | Flexera
http://secunia.com/advisories/23179

About Secunia Research | Flexera

Products affected by CVE-2006-6171

Proftpd Project » Proftpd
Versions up to, including, (<=) 1.3.0a
cpe:2.3:a:proftpd_project:proftpd:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2006-6171

Exploit prediction scoring system (EPSS) score for CVE-2006-6171

CVSS scores for CVE-2006-6171

References for CVE-2006-6171

Products affected by CVE-2006-6171