CVE-2020-15152

Name of the Vulnerable Software and Affected Versions ftp-srv versions prior to 2.19.6 ftp-srv versions prior to 3.1.2 ftp-srv versions prior to 4.3.4

Description The issue allows for Server-Side Request Forgery due to the PORT command permitting arbitrary IPs, which can cause the server to make a connection elsewhere. This is possible because the FTP protocol creates two connections, one for commands and one for transferring data, and the PORT command sends the IP and port for the server to connect to the client with. Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.

Recommendations For versions prior to 2.19.6, update to version 2.19.6 or later. For versions prior to 3.1.2, update to version 3.1.2 or later. For versions prior to 4.3.4, update to version 4.3.4 or later. As a temporary workaround, consider blacklisting the FTP Command PORT to prevent the server from exposing this behavior through active connections until a fix is applied. This can be done by configuring the ftp-srv with a blacklist, for example:

const ftp = new FtpSrv({
 blacklist: ['PORT']
});