{"id":"USN-8114-1","summary":"gvfs vulnerabilities","details":"It was discovered that the GVfs FTP backend incorrectly handled IP\naddresses and ports returned by passive mode responses. A malicious remote\nserver could possibly use this issue to help scan for open ports.\n(CVE-2026-28295)\n\nIt was discovered that the GVfs FTP backend incorrectly handled crafted\nfile paths. A remote attacker could use this issue to terminate or inject\narbitrary FTP commands, or possibly execute arbitrary code.\n(CVE-2026-28296)","modified":"2026-04-24T10:11:09.892535Z","published":"2026-03-23T12:53:19Z","related":["UBUNTU-CVE-2026-28295","UBUNTU-CVE-2026-28296"],"upstream":["CVE-2026-28295","CVE-2026-28296","UBUNTU-CVE-2026-28295","UBUNTU-CVE-2026-28296"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8114-1"}],"affected":[{"package":{"name":"gvfs","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/gvfs@1.48.2-0ubuntu1.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.48.2-0ubuntu1.1"}]}],"versions":["1.47.91-1ubuntu1","1.48.1-2ubuntu2","1.48.1-2ubuntu3","1.48.1-2ubuntu5","1.48.1-3","1.48.1-4","1.48.2-0ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.48.2-0ubuntu1.1","binary_name":"gvfs"},{"binary_version":"1.48.2-0ubuntu1.1","binary_name":"gvfs-backends"},{"binary_version":"1.48.2-0ubuntu1.1","binary_name":"gvfs-common"},{"binary_version":"1.48.2-0ubuntu1.1","binary_name":"gvfs-daemons"},{"binary_version":"1.48.2-0ubuntu1.1","binary_name":"gvfs-fuse"},{"binary_version":"1.48.2-0ubuntu1.1","binary_name":"gvfs-libs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8114-1.json","cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[]}}},{"package":{"name":"gvfs","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/gvfs@1.54.4-0ubuntu1~24.04.2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.54.4-0ubuntu1~24.04.2"}]}],"versions":["1.52.0-1","1.52.1-1build1","1.52.2-1","1.53.90-2","1.54.0-1build1","1.54.0-1build2","1.54.0-1build3","1.54.0-1ubuntu2","1.54.4-0ubuntu1~24.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.54.4-0ubuntu1~24.04.2","binary_name":"gvfs"},{"binary_version":"1.54.4-0ubuntu1~24.04.2","binary_name":"gvfs-backends"},{"binary_version":"1.54.4-0ubuntu1~24.04.2","binary_name":"gvfs-common"},{"binary_version":"1.54.4-0ubuntu1~24.04.2","binary_name":"gvfs-daemons"},{"binary_version":"1.54.4-0ubuntu1~24.04.2","binary_name":"gvfs-fuse"},{"binary_version":"1.54.4-0ubuntu1~24.04.2","binary_name":"gvfs-libs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8114-1.json","cves_map":{"ecosystem":"Ubuntu:24.04:LTS","cves":[]}}},{"package":{"name":"gvfs","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/gvfs@1.57.2-2ubuntu5.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.57.2-2ubuntu5.1"}]}],"versions":["1.57.2-2ubuntu1","1.57.2-2ubuntu4","1.57.2-2ubuntu5"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.57.2-2ubuntu5.1","binary_name":"gvfs"},{"binary_version":"1.57.2-2ubuntu5.1","binary_name":"gvfs-backends"},{"binary_version":"1.57.2-2ubuntu5.1","binary_name":"gvfs-common"},{"binary_version":"1.57.2-2ubuntu5.1","binary_name":"gvfs-daemons"},{"binary_version":"1.57.2-2ubuntu5.1","binary_name":"gvfs-fuse"},{"binary_version":"1.57.2-2ubuntu5.1","binary_name":"gvfs-libs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8114-1.json","cves_map":{"ecosystem":"Ubuntu:25.10","cves":[]}}}],"schema_version":"1.7.5"}