QwikSec

Security Database

CVE

CWE

Training

CVE-2018-10916

Published: Aug 1, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

5.3

MEDIUM

Description

It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.

Vendor	Product	Versions
[UNKNOWN]	lftp	affected `up to and including 4.8.3`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/lavv17/lftp/issues/452

x_refsource_CONFIRM

vendor-advisory

x_refsource_UBUNTU

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916

x_refsource_CONFIRM

https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992

x_refsource_CONFIRM

openSUSE-SU-2019:1059

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:1110

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.