← Advisories

Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)

Low

Advisory ID

ZSL-2022-5696

Release Date

27 January 2022

Vendor

Fetch Softworks - https://www.fetchsoftworks.com

Affected Version

5.8.2 (5K1354)

CVE

CVE-2022-50799

Tested On

macOS Monterey 12.2, macOS Big Sur 11.6.2

Summary

Fetch is a reliable, full-featured file transfer client for the Apple Macintosh whose user interface emphasizes simplicity and ease of use. Fetch supports FTP and SFTP, the most popular file transfer protocols on the Internet for compatibility with thousands of Internet service providers, web hosting companies, publishers, pre-press companies, and more.

Description

The application is prone to a DoS after receiving a long server response (more than 2K bytes) leading to 100% CPU consumption.

Proof of Concept

fetchftp_cpu.pyTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/165769/

[2]https://cxsecurity.com/issue/WLB-2022010141

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/218386

[4]https://www.exploit-db.com/exploits/50696

[5]https://www.cve.org/CVERecord?id=CVE-2022-50799

Changelog

27.01.2022Initial release

01.02.2022Added reference [1], [2] and [3]

02.02.2022Added reference [4]

24.03.2026Added reference [5]