PT-2020-18317 · Uftpd · Uftpd

Aaron Esau

Published

2020-01-22

Updated

2020-01-30

CVE-2020-5221

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions uftpd versions prior to 2.11

Description The issue allows an unauthenticated user to perform a directory traversal attack using multiple different FTP commands, enabling them to read and write to arbitrary locations on the filesystem. This is due to the lack of a well-written chroot jail in the compose abspath() function.

Recommendations For versions prior to 2.11, update to version 2.11 to resolve the issue. As a temporary workaround, consider restricting access to the FTP server until the update can be applied.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-5221

GHSA-WMX8-V7MX-6X9H

Affected Products

Uftpd

PT-2020-18317 · Uftpd · Uftpd

CVE-2020-5221

Weakness Enumeration

Related Identifiers

Affected Products

References · 5