CVE-2010-3494: Concurrent Execution using Shared Resource with Improper Synchronization in pyftpdlib

May 17, 2022 (updated October 21, 2024)

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, a related issue to CVE-2010-3492.

References

bugs.launchpad.net/zodb/+bug/135108
github.com/advisories/GHSA-hw4g-fhcp-x5mq
github.com/giampaolo/pyftpdlib
github.com/pypa/advisory-database/tree/main/vulns/pyftpdlib/PYSEC-2010-11.yaml
nvd.nist.gov/vuln/detail/CVE-2010-3494

Code Behaviors & Features

Detect and mitigate CVE-2010-3494 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →