7.8

CVE-2018-10916

Exploit
It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Lftp ProjectLftp Version <= 4.8.3
CanonicalUbuntu Linux Version12.04 SwEditionesm
OpensuseLeap Version42.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.78% 0.908
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov 7.8 8.6 7.8
AV:N/AC:M/Au:N/C:N/I:P/A:C
secalert@redhat.com 5.3 1.6 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
Patch
Third Party Advisory
Issue Tracking
https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
Patch
Third Party Advisory
https://github.com/lavv17/lftp/issues/452
Third Party Advisory
Exploit
https://usn.ubuntu.com/3731-2/
Third Party Advisory