ALT-PU-2018-2263-1

Package update lftp in branch sisyphus

Version4.8.4-alt1

Published2018-09-01

Max severityMEDIUM

Severity:

Closed issues (2)

MEDIUM5.3

Уязвимость консольного FTP-клиента lftp, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю выполнить удаление файлов в текущем рабочем каталоге системы

Published: 2019-04-04Modified: 2021-03-29

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS 2.0HIGH 7.1

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:C/A:N

References

MEDIUM6.5

It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.

Published: 2018-08-01Modified: 2024-11-21

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:C

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References