CVE Catalog

CVE-2023-3603

LowCVSS 3.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.77%

51th percentile — higher than 51% of all known CVEs

Summary

A missing allocation check in the SFTP server processing read requests may lead to a NULL dereference under low memory conditions. A malicious client can request up to 4GB SFTP reads, potentially causing allocation of up to 4GB buffers without error checking.

Risk Assessment

This may crash the authenticated user's SFTP server connection, and for thread-based servers, it could also lead to DoS for legitimate users.

Recommendation

It is recommended to monitor and update the SFTP server to avoid potential memory allocation issues in future releases.

Original NVD description (English source)

A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS