A buffer overflow vulnerability in the Virtual Path Mapping component of FTPShell v6.83 allows attackers to cause a denial of service (DoS).

Permalink

Cannot retrieve contributors at this time

**FTPShell Server 6.83 -- Denial of Service**

Discoverer: leiothrix  
Discovery time: 2019/4/27  
Tested Version: 6.83  
Software Link: http://www.ftpshell.com/downloadserver.htm

    Steps to exploit:
    1.Open FTPShell Server
    2.Select "Manage FTP Accounts"
    3.Select "Configure accounts..."
    4.Select "Add path" and in "Virtual Path Mapping" Paste Clipboard
    5.Input POC 417*A
    6.Click on "OK"
    

POC:

> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Result map: ![图片](https://github.com/cve-vul/vul/raw/master/FTPShell/a.png)

![图片](https://github.com/cve-vul/vul/raw/master/FTPShell/b.png)

CVE-2020-18077: vul/FTPShell_Server_6.83_DOS.md at master · cve-vul/vul

In Audio Aurisys HAL, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05977326; Issue ID: ALPS05977326.

**December 2021 Product Security Bulletin**

Published December 1, 2021

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT and Smart display chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2021-0675, CVE-2021-0904

Medium

CVE-2021-0676, CVE-2021-0677, CVE-2021-0678, CVE-2021-0679, CVE-2021-0893, CVE-2021-0894, CVE-2021-0895, CVE-2021-0896, CVE-2021-0897, CVE-2021-0898, CVE-2021-0899, CVE-2021-0900, CVE-2021-0901, CVE-2021-0902, CVE-2021-0903, CVE-2021-0673, CVE-2021-0674

****Details****

CVE

**CVE-2021-0675**

Title

Improper restriction of operations within the bounds of a memory buffer in alac decoder

Severity

High

Vulnerability Type

EoP

CWE

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

In alac decoder, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8176, MT8183, MT8185, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0904**

Title

Incorrect permission assignment for critical resource in SRAMROM

Severity

High

Vulnerability Type

EoP

CWE

CWE-732 Incorrect Permission Assignment for Critical Resource

Description

In SRAMROM, there is a possible permission bypass due to an insecure permission setting. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6771, MT8183, MT8385, MT8788

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0676**

Title

Exposure of sensitive information to an unauthorized actor in geniezone driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Description

In geniezone driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6762, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8771, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

CVE

**CVE-2021-0677**

Title

Integer overflow or wraparound in ccu driver

Severity

Medium

Vulnerability Type

ID

CWE

CWE-190 Integer Overflow or Wraparound

Description

In ccu driver, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6889, MT8771, MT8791

Affected Software Versions

Android 11.0

CVE

**CVE-2021-0678**

Title

Improper restriction of operations within the bounds of a memory buffer in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

In apusys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0679**

Title

Improper check or handling of exceptional conditions in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-703 Improper Check or Handling of Exceptional Conditions

Description

In apusys, there is a possible memory corruption due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0893**

Title

Use after free in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In apusys, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0894**

Title

Improper restriction of operations within the bounds of a memory buffer in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

In apusys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0895**

Title

Improper restriction of operations within the bounds of a memory buffer in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

In apusys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0896**

Title

Improper restriction of operations within the bounds of a memory buffer in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

In apusys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0897**

Title

Time-of-check time-of-use (toctou) race condition in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Description

In apusys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0898**

Title

Use after free in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In apusys, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0899**

Title

Use after free in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In apusys, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0900**

Title

Improper input validation in apusys

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In apusys, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0901**

Title

Integer overflow or wraparound in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In apusys, there is a possible memory corruption due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0902**

Title

Improper input validation in apusys

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In apusys, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0903**

Title

Improper restriction of operations within the bounds of a memory buffer in apusys

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

In apusys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8195, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0673**

Title

Improper input validation in Audio Aurisys HAL

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In Audio Aurisys HAL, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8183, MT8185, MT8195, MT8321, MT8385, MT8765, MT8766, MT8768, MT8771, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-0674**

Title

Improper input validation in alac decoder

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In alac decoder, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6570, MT6580, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8176, MT8183, MT8185, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 8.1, 9.0, 10.0, 11.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

December 1, 2021

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2021-0673: December 2021

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

CVE-2021-45042: HCSEC-2021-33 - Vault’s KV Secrets Engine With Integrated Storage Exposed to Authenticated Denial of Service

CVE-2021-45042

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

CVE-2021-44145: Apache NiFi Security Reports

A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.

CVE-2020-35210: Raft Session Flooding

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.

CVE-2020-35213: Inconsistent Link State Injection

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.

CVE-2020-35216: Fake Membership State Advertisement

JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service.

I have tried to contact you by zcool321@sina.com and created #22 asking for the contact. Nobody replied.

The JFinal\_cms is vulnerable to regex injection that may lead to Denial of Service.

User controlled `path` and `contextPath` are used to build and run a regex expression (first argument to replaceFirst):  

protected String getFilePath() {

String path \= this.get.get("path");

return getFilePath(path);

}

/\*\*

\* get File Path

\* <p\>

\* 2016年2月26日 下午3:47:37 flyfox 369191470@qq.com

\*

\* @return

\*/

protected String getFilePath(String path) {

String contextPath \= this.get.get("contextPath");

// 根目录

if (StrUtils.isEmpty(contextPath)) {

return path;

}

if (path.startsWith(contextPath)) {

path \= path.replaceFirst(contextPath, "");

Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side.

CVE-2021-37262: [SECURITY] Denial of service because of unsafe regex processing · Issue #23 · jflyfox/jfinal_cms

A regular expression denial of service (ReDoS) vulnerability exits in cbioportal 3.6.21 and older via a POST request to /ProteinArraySignificanceTest.json.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**\[SECURITY\] Denial of service because of unsafe regex processing #8680**

Closed

edvraa opened this issue

Jun 10, 2021

· 10 comments

**Comments**

![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=88&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4)

![@inodb](https://avatars.githubusercontent.com/u/1334004?s=88&v=4)

Copy link

Member

**![@inodb](https://avatars.githubusercontent.com/u/1334004?s=60&v=4) **inodb** commented Jun 15, 2021**

![@inodb](https://avatars.githubusercontent.com/u/1334004?s=88&v=4)

Copy link

Member

**![@inodb](https://avatars.githubusercontent.com/u/1334004?s=60&v=4) **inodb** commented Jun 15, 2021**

Thanks for reporting! I don't think this code is used anymore actually? Maybe we can delete it?

![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=88&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4)

Hi,  
Do you plan to release a GitHub security advisory and/or request CVE number?

![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=88&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4)

Oh, did you just close the issue without fixing the code? Even if the parameters are not used the code is still callable. Do I miss something?

![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=88&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4)

I thought since the issue was so brutally closed without explanation maybe my code analysis is wrong and it is not expoitable. Thus I have followed the instructions from https://docs.cbioportal.org/2.1.1-deploy-with-docker-recommended/docker and ran a local instance of cbioportal in container. I have a proof of concept when just a single request makes server cpu to consume 100% indefinetely. Please create a security advisory where you could invite me and discuss it in private if you have any questions.

It makes me sad that such a noble project makes it hard to responsibly disclose a security issue that may potentially lead to Denial of Service. Please respond in 24 hours.

![@jjgao](https://avatars.githubusercontent.com/u/840895?s=88&u=5cb7ffdf5b67b9230aa2c58a5b4f0f3b1d247c91&v=4)

Copy link

Member

**![@jjgao](https://avatars.githubusercontent.com/u/840895?s=60&u=5cb7ffdf5b67b9230aa2c58a5b4f0f3b1d247c91&v=4) **jjgao** commented Jul 15, 2021 • Loading**

@edvraa Thanks for reporting this. The code is not being used in production anymore. Also, we planned to retire both core and portal modules once all dependencies are removed (cBioPortal/icebox#161), so at this moment, we will not invest time fixing issues in these two modules that will not be running in production.

![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=88&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4)

Copy link

Author

**![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=60&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4) **edvraa** commented Jul 15, 2021 • Loading**

@jjgao The question is not if it is used or not. Single request to `http://cbioportal.org/ProteinArraySignificanceTest.json?heat_map=censored&gene=censored&alteration=censored` will make the web server consume 100% CPU. Multiple requests like this may potentially take down the server. Since it is not used, commenting out the function or disabling the route sounds as easy fix, right?

![@adamabeshouse](https://avatars.githubusercontent.com/u/636232?s=88&u=79428c3f295c811c55c9446302f1e08dfd2e5bc0&v=4)

@edvraa thanks for reporting this! The endpoint has now been deleted in master.

![@edvraa](https://avatars.githubusercontent.com/u/80588099?s=88&u=fd7774731898fd8b28f0258f59ab09295436e78f&v=4)

![@adamabeshouse](https://avatars.githubusercontent.com/u/636232?s=88&u=79428c3f295c811c55c9446302f1e08dfd2e5bc0&v=4)

We release frequently and it will be in the next one.

Tag

#dos