Approved changes feed: RSS · Atom

cpe:2.3:a:troglobit:uftpd:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorTroglobit (87c709cf-cdc0-50a4-9b87-4ed9dd4c0b07)
ProductUftpd (823d5c94-cc74-5f61-8fe6-c9d611435899)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/troglobit/uftpd purl2cpe 2026-06-01 10:17:47.795051
pkg:rpm/opensuse/uftpd purl2cpe 2026-06-01 10:17:47.795054

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2020-5221 vulnerable 2026-06-08 05:26:41.531910 Directory Traversal (Chroot Escape) vulnerability in uftpd
MEDIUM (6.5)
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in version 2.11
Published: 2020-01-22T18:50:13.000Z
Updated: 2024-08-04T08:22:08.876Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-5204 vulnerable 2026-06-08 05:26:41.493112 Buffer overflow vulnerability in uftpd
MEDIUM (6.5)
In uftpd before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11
Published: 2020-01-06T19:10:12.000Z
Updated: 2024-08-04T08:22:08.699Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-20277 vulnerable 2026-06-08 05:21:03.983647 Details available
There are multiple unauthenticated directory traversal vulnerabilities in different FTP commands in uftpd FTP server versions 2.7 to 2.10 due to improper implementation of a chroot jail in common.c's compose_abspath function that can be abused to read or write to arbitrary files on the filesystem, leak process memory, or potentially lead to remote code execution.
Published: 2020-12-18T18:09:00.000Z
Updated: 2024-08-04T14:15:29.021Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-20276 vulnerable 2026-06-08 05:21:03.983223 Details available
An unauthenticated stack-based buffer overflow vulnerability in common.c's handle_PORT in uftpd FTP server versions 2.10 and earlier can be abused to cause a crash and could potentially lead to remote code execution.
Published: 2020-12-18T18:09:03.000Z
Updated: 2024-08-04T14:15:29.000Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-14149 vulnerable 2026-06-08 05:18:02.110376 Details available
In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path provided by the user, causing a NULL pointer dereference and denial of service, as demonstrated by a CWD /.. command.
Published: 2020-06-15T16:52:20.000Z
Updated: 2024-08-04T12:39:36.017Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.