Miggo Logo

CVE-2021-36159: libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric...

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.76145%
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description pinpoints an out-of-bounds read in the FTP passive mode implementation due to mishandling of numeric strings with strtol. The provided GitLab issue #10749 contains a diff for ftp.c that shows the exact code change to fix this. The change is within a loop responsible for parsing the address and port from the FTP server's passive mode response. The surrounding code in the diff, and the logic itself, clearly indicate this is part of a function handling FTP passive mode, identified as fetch_ftp_passive_mode. The patch adds a check for premature null termination after strtol has potentially advanced the pointer, thus preventing the out-of-bounds read. Other patched functions in fetch.c and http.c address similar numeric parsing issues but are not the direct cause of the described FTP passive mode vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li***t** ***or* ****-**-**, *s us** in *pk-tools, x*ps, *n* ot**r pro*u*ts, mis**n*l*s num*ri* strin*s *or t** *TP *n* *TTP proto*ols. T** *TP p*ssiv* mo** impl*m*nt*tion *llows *n out-o*-*oun*s r*** ****us* strtol is us** to p*rs* t** r*l*v*nt num**

Reasoning

T** vuln*r**ility **s*ription pinpoints *n out-o*-*oun*s r*** in t** *TP p*ssiv* mo** impl*m*nt*tion *u* to mis**n*lin* o* num*ri* strin*s wit* `strtol`. T** provi*** *itL** issu* #***** *ont*ins * *i** *or `*tp.*` t**t s*ows t** *x**t *o** ***n** to