CVE-2020-11061

CVE-2020-11061

Name

CVE-2020-11061

Description

In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://bugs.bareos.org/view.php?id=1210
Third Party Advisory	https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4
MLIST	https://lists.debian.org/debian-lts-announce/2020/08/msg00051.html

Type

URI

Vendor Advisory

https://bugs.bareos.org/view.php?id=1210

Third Party Advisory

https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4

MLIST

https://lists.debian.org/debian-lts-announce/2020/08/msg00051.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:bareos:bareos::::::::`	bareos	>= None	<= 16.2.10
`cpe:2.3:a:bareos:bareos::::::::`	bareos	>= 17.2.4	<= 17.2.9
`cpe:2.3:a:bareos:bareos:18.2.4:rc1::::::`	bareos	== None	== 18.2.4
`cpe:2.3:a:bareos:bareos::::::::`	bareos	>= 18.2.5	<= 18.2.8
`cpe:2.3:a:bareos:bareos::::::::`	bareos	>= 18.4.1	<= 19.2.7

CPE URI

Source package

Min version

Max version

cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*

bareos

>= None

<= 16.2.10

cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*

bareos

>= 17.2.4

<= 17.2.9

cpe:2.3:a:bareos:bareos:18.2.4:rc1:*:*:*:*:*:*

bareos

== None

== 18.2.4

cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*

bareos

>= 18.2.5

<= 18.2.8

cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*

bareos

>= 18.4.1

<= 19.2.7

References

Match rules

Vulnerable and fixed packages