CVE-2018-10916
Description
It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victims system.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
0.696
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| SUSE-SU-2019:0642-1(SUSE Linux Enterprise Desktop 12-SP3 ) lftp-4.7.4-3.6.1.x86_64.rpm | Linux |
| SUSE-SU-2019:0642-1(SUSE Linux Enterprise Desktop 12-SP4 ) lftp-debuginfo-4.7.4-3.6.1.x86_64.rpm | Linux |
| SUSE-SU-2019:0642-1(SUSE Linux Enterprise Desktop 12-SP3 ) lftp-debugsource-4.7.4-3.6.1.x86_64.rpm | Linux |
| (RHSA-2020:1045) lftp security update lftp-4.4.8-12.el7.i686.rpm | Linux |
| (RHSA-2020:1045) lftp security update lftp-4.4.8-12.el7.x86_64.rpm | Linux |
| (RHSA-2020:1045) lftp security update lftp-scripts-4.4.8-12.el7.noarch.rpm | Linux |
| (RHSA-2020:1045)Moderate: security update lftp-debuginfo-4.4.8-12.el7.i686.rpm | Linux |
| (RHSA-2020:1045)Moderate: security update lftp-debuginfo-4.4.8-12.el7.x86_64.rpm | Linux |
| Lftp update (ELSA-2020-1045) lftp-4.4.8-12.el7.i686.rpm | Linux |
| Lftp update (ELSA-2020-1045) lftp-4.4.8-12.el7.x86_64.rpm | Linux |
| lftp Security Update (ALAS-2020-1453) lftp-4.4.8-12.amzn2.1.i686.rpm | Linux |
| lftp Security Update (ALAS-2020-1453) lftp-4.4.8-12.amzn2.1.x86_64.rpm | Linux |
| lftp Security Update (ALAS-2020-1453) lftp-scripts-4.4.8-12.amzn2.1.noarch.rpm | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234