{"id":"CVE-2020-15173","details":"In ACCEL-PPP (an implementation of PPTP/PPPoE/L2TP/SSTP), there is a buffer overflow when receiving an l2tp control packet ith an AVP which type is a string and no hidden flags, length set to less than 6. If your application is used in open networks or there are untrusted nodes in the network it is highly recommended to apply the patch. The problem was patched with commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b As a workaround changes of commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b can be applied to older versions.","aliases":["GHSA-rr68-fchr-69vf"],"modified":"2026-05-18T21:34:56.523136Z","published":"2020-09-09T23:15:10.977Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:accel-ppp:accel-ppp:*:*:*:*:*:*:*:*"],"vendor_product":"accel-ppp:accel-ppp","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.12.0-92-g38b6104"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/accel-ppp/accel-ppp/security/advisories/GHSA-rr68-fchr-69vf"},{"type":"FIX","url":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/accel-ppp/accel-ppp","events":[{"introduced":"0"},{"fixed":"2324bcd5ba12cf28f47357a8f03cd41b7c04c52b"}],"database_specific":{"source":"REFERENCES"}}],"versions":["1.12.0","1.10.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15173.json","vanir_signatures":[{"source":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b","digest":{"length":2018,"function_hash":"56794642800740520946401259974351675976"},"signature_type":"Function","target":{"function":"l2tp_packet_send","file":"accel-pppd/ctrl/l2tp/packet.c"},"signature_version":"v1","id":"CVE-2020-15173-0d351b7d","deprecated":false},{"source":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b","digest":{"length":2061,"function_hash":"21952700318578743277174672561875988151"},"signature_type":"Function","target":{"function":"decode_avp","file":"accel-pppd/ctrl/l2tp/packet.c"},"signature_version":"v1","id":"CVE-2020-15173-18183f2d","deprecated":false},{"source":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b","digest":{"threshold":0.9,"line_hashes":["338317700377576286025478384117828060319","67774926986237965124137075351349135786","172231402997736588041948284279745023379","169662471389383887840954457314071178235","202207538356649699404467984267802779407","34068663212362945259696409867023493914","223445067476677595334087974720663173164","235496519984370181950682888734290326416","262353139577246019899341448417292722658","34284010679476126187584958792322095159","266320997812127624356614364870607225703","43113050897411724562562037315123685637","260700611032244455210623079192684511526","75448575453371037417836989704384408376","15094315502071593330645899362319748074","226168518510105658663461915019527890210","195014094322762653011652376373758428673","38020132500324400824197414452556957027","134235598725696709632253176055695750639","54169553521048110127082531152573051675","132155546471683748481498755599312519486","315419957339496802218627096651997738867","164853230017992990611422989621938626894"]},"signature_type":"Line","target":{"file":"accel-pppd/ctrl/l2tp/l2tp_prot.h"},"signature_version":"v1","id":"CVE-2020-15173-3fb25936","deprecated":false},{"source":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b","digest":{"length":5731,"function_hash":"135159235321692087611349962398979475414"},"signature_type":"Function","target":{"function":"l2tp_recv","file":"accel-pppd/ctrl/l2tp/packet.c"},"signature_version":"v1","id":"CVE-2020-15173-778e7ba3","deprecated":false},{"source":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b","digest":{"threshold":0.9,"line_hashes":["208420057628095866918349505542821309446","228562084722539447355450995829898021587","228012554885983931607472353984076333766","208603660971310996225271071788677474236","129342170442510039628300161766716432960","200401861447203466256151926581713337501","51197383300386729756278966071715851909","15220764526834757860545788607525348351","176750642548900109888997093922851899343","21978425376689532395646869319956777742","144913810872660946088469525813700726872","267598699241708184333447022457558042218","110359615143575925145768674636379758299","244345234613827673152831708031113414725","197553941281280475067420432854089675155","212930769008537196020160996831396180620","136055782448135971673487308337777343781","339761905722502023358623602208624881057","45719336865793148685739569915196487205","106523186263017310213563052599733843908","93507189711659397367466701252139457295","221609342906184199752953653342309081101","190780144101680809821788166767996778861","96847704684967691059740725483794648374","196660500725933982404133994534359861658","23308833275814522414029208876189418176","140754545573426628520065476963800914188","51480960358888919974313526661943895067","205067349334563839647569587776294298948","50168119132159128695259571541974196566","273851211813026280633738708913412304097","300791245108807515941062531419943753417","310587849273472063288185340782371485923","60917053607807950472972905398457546678","89057447771051572969833936868605253828","69449358863308854735214835872656648907","138771810668942442175657764132112814455","32286527123499812758469085724015966835","37585307601885444291248803454730758996","169768695112366133963904255906612321806","275041538839617427084673382910475692752","312506554780720958702732952043243127003","227486735125456283959910855378727667470","38455308020727108901158864286892338181","107390341900910427038210775059710431046","131755206706567582395575540168841226232","51953093278363948017440439943716709491","131470178833387272531361395607980804145","135681439171794964658074432224416861051","147943974312942557040573155431034930078","37912816773072789311516223414386432945","148412392157040744320652995168337441078","113538623065703555972681626877768405986","92242097323238561160499162582976512589","333616836688139715817018876749501712471","50333475835707880422180091234093066504","211468551225736022002601399147587503675","183077719063537806823333519660080386572","289083677215435755675751144465825430727","167340101845747234809544120583448559633","333967653293761162354694023894928925268","206417414366730927761337194774100698873","78513620007881469299222695199082548844","287764084130548515407794883484799718264","126792746798915114052992070502771957877","259931152916181945089248959356437593565","190703369293331853264318435071339125265","10536189051148214485827551924199087026","76124790444394923659247745331074370052","260707314986088878717372626359318391921","289907793498202398592353590599816322626","330434120824353624234073829484960658463","100329998547911248127579090791285739766","150215959648014794668237046059047949316","34602849803371055418101880860675010045","216654152091752644807465326694239104768","301289384192339741514743641453060173593","292063864952385714678102351889063692877","177445308078064075521962554293473127213","282771197349588287777203764200419340941","188295367303283716552284331971202954062","88354153885175652883581084335162178586","172194331458416146705211694395479021430","209856621918269467021912290481541151258","98645638718448395460514432335983822366","132267324180014579743385482813404544714","119908543441828290368493379802782321305","283537382436122318381233371011597790787","67846824516160838678243055835411979111","66769492409387228165031848253096987116","11636205689585824864809514388734433711","180378602047045832311282713674377450154","255060316851297185486136843255478471862","141491696432783483321552126871564148528","295300330928845806779991859737691757335","133237418246094024609829166127064802592","2841861214898496586543257486020550010","311973288946772316175776452152568626589","3450491257990485469554750417671035182","114810495333279399566670581686413323943","105376778413564890820567790575517346299","302333199091959038623690222284415581067","138252081078800054465756864668615407727","309109010936491077118573575152071475274","85720829707466653975504421761228249799","102960521313388501840607660627666219595","300136001522703989644699740151311126666","316820561961740083761502886267442140254","309417831112337580532044459201675738499","307857533668427394147585347396083575158","25998292849918108179403660852733178225","126889479525534986741942767439345496382","6524271411228409436982639326541782407","137468892364371168818796773418774341525","87099718548469632419477361659839268471","131247817742740896853928942897838978264","269642726127945624165277825587022601273","299645784754698559894317983131658162057","257779522594274540198783629359643436315","270517010963959440652111008284380031342","119291770849110313494984999774287565282","292841531867250303429196723716744791629","240066553613770639433417185355632720362","283287590762550547510448869115483203626","117927085282482409875237780090443908958","198086343148873508202328877222580000032","331781580587759001644963838657597089914","7564051071008824273262433944189864009","85695357085653228962162392236482941000","236798758780510953310068515485347455371","42563739037231250202627166545749858755","35136834205201200506981610380987080274","251534683344509804636723064909888094114","301070155600911612864615608575270415549","25939783644731607886683745717295686177","329734287358945873918888969406918218122","299104147284344846426582083405487634745","325908979377057274117618712436809084325","42169927455679994264067671805273743606","21838012272271138743181650995103104090","120594576693022065623635907500353768032","140472581772111897266313358541105397087","321706381357349842578856881754606628621","62313306026043305986171964899118427683","156248751717677540548831428168284865657","152331941808403839231646793783958671761","328935731996207780602230653236314120154","162743741102619606843081906966066058065","303180957279760619672541087468216260208","282839132266528101041273329142250656240","174842255408566206550902033728810828627","67275464780231519013701149388224032464","15220495349709150486165460188009763701","56779408420565649201400994765969598145","83308822468784049169051702889847933013","170580308789676947594385073313078708005","171264937158992163299015952606127557416","320586755581369804895543074984310220278","168971264882190157632851362365979820475","255335687535449485558176005430136145977","82151608554864617542734511595961644122","21299352493849260085288483005745028361","335060209473566259554321739565865568963","295103728750460111586807591923284464","333720237643958569223419528842670253899","74075271992513637763526879443495422463","152080355568445630000619438672039381732","208047156828213821328476414291572292990","67020652858715241420965049628304161190","306680135709408923771833512050931055051","128459403662676623902510975797884505157","116741459783185460709051581290472457543","173112399849840126044865497816025699069","165790171155611691199700075967217605168","179353251122324435495224861413364494574","271320716990069585836235111649575124350","69732575324709515817930251713998896828","258650463804025360874721314209291714242","234499055564558983076536996851677068715","82334693206686565264678812704688328622","250851377230929679543315528807385186531","296904855973072761458793216742967963743","253339951427718372563464343866460158442"]},"signature_type":"Line","target":{"file":"accel-pppd/ctrl/l2tp/packet.c"},"signature_version":"v1","id":"CVE-2020-15173-ad54bb13","deprecated":false},{"source":"https://github.com/accel-ppp/accel-ppp/commit/2324bcd5ba12cf28f47357a8f03cd41b7c04c52b","digest":{"length":602,"function_hash":"264157786689854936099843532802478715746"},"signature_type":"Function","target":{"function":"l2tp_packet_alloc","file":"accel-pppd/ctrl/l2tp/packet.c"},"signature_version":"v1","id":"CVE-2020-15173-da118e96","deprecated":false}],"vanir_signatures_modified":"2026-05-18T21:34:56Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}