CVE-2020-25269: Use After Free
First published: Fri Sep 11 2020(Updated: )
An issue was discovered in InspIRCd 2 before 2.0.29 and 3 before 3.6.0. The pgsql module contains a use after free vulnerability. When combined with the sqlauth or sqloper modules, this vulnerability can be used for remote crashing of an InspIRCd server by any user able to connect to a server.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/inspircd | 2.0.27-1+deb10u1 3.8.1-2 3.15.0-1 | |
| InspIRCd | >=2.0<2.0.29 | |
| InspIRCd | >=3.0<3.6.0 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.inspircd.org/security/2020-01/
- https://github.com/inspircd/inspircd/compare/426d1c8...b3f1db9
- https://github.com/inspircd/inspircd/compare/v2.0.28...07d7dea
- https://lists.debian.org/debian-lts-announce/2020/09/msg00015.html
- https://www.debian.org/security/2020/dsa-4764
- https://github.com/inspircd/inspircd/commit/07d7dea334fc56642793aa5ae1e05ae3185c474b
- https://github.com/inspircd/inspircd/commit/a9e107c646ac6d7310b55d0c2e0b06a9cec0a874
- https://github.com/inspircd/inspircd/commit/6f6fa13042f319bcd56ceed112c0a969337e4161
- https://github.com/inspircd/inspircd/commit/b3f1db9d162455af4b31edf231ba749140d37219
- https://github.com/inspircd/inspircd/commit/fbdd08043e97c2749ce2f03382559bba89abf47a
- https://github.com/inspircd/inspircd/commit/b24a91181f58c7f7141de8995ff212993bcc333b
- https://security-tracker.debian.org/tracker/CVE-2020-25269
Frequently Asked Questions
What is the severity of CVE-2020-25269?
CVE-2020-25269 is classified as a high severity vulnerability due to its potential to cause remote server crashes.
How do I fix CVE-2020-25269?
To fix CVE-2020-25269, upgrade to InspIRCd version 2.0.29 or later, or version 3.6.0 or later.
Which versions of InspIRCd are affected by CVE-2020-25269?
InspIRCd versions prior to 2.0.29 and versions prior to 3.6.0 are affected by CVE-2020-25269.
What is the primary risk associated with CVE-2020-25269?
The primary risk associated with CVE-2020-25269 is the ability for remote users to crash the InspIRCd server.
What modules need to be enabled for CVE-2020-25269 to be exploited?
The vulnerabilities in CVE-2020-25269 can be exploited when the pgsql module is used in conjunction with the sqlauth or sqloper modules.
- collector/security-tracker-debian
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/inspircd
- canonical/inspircd
- version/inspircd/2.0
- version/inspircd/3.0
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0