CVE-2010-4755
Severity CVSS v4.0:
Pending analysis
Type:
CWE-399
Resource Management Errors
Publication date:
02/03/2011
Last modified:
11/04/2025
Description
The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
Impact
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:* | 5.8 (including) | |
| cpe:2.3:a:openbsd:openssh:1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.2.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.2.27:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.5.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:1.5.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:2.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:2.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:openbsd:openssh:2.3.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c#rev1.13.12.1
- http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp.c#rev1.21.6.1
- http://cxib.net/stuff/glob-0day.c
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc
- http://securityreason.com/achievement_securityalert/89
- http://securityreason.com/exploitalert/9223
- http://securityreason.com/securityalert/8116
- http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c#rev1.13.12.1
- http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp.c#rev1.21.6.1
- http://cxib.net/stuff/glob-0day.c
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc
- http://securityreason.com/achievement_securityalert/89
- http://securityreason.com/exploitalert/9223
- http://securityreason.com/securityalert/8116