Main Vulnerability Database Vulnerabilities #VU14187

Security restrictions bypass in lftp - CVE-2018-10916

Published: August 2, 2018 / Updated: August 3, 2018

Vulnerability identifier: #VU14187

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-10916

CWE-ID: CWE-119

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: lftp

Affected software:
lftp

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper sanitization of remote file names. A remote unauthenticated attacker can trick the victim into using reverse mirroring on an attacker controlled FTP server bypass security restrictions and remove all files in the current working directory of the victim's system.

How to mitigate CVE-2018-10916

Update to version 4.8.4.

Sources

https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992

Security restrictions bypass in lftp - CVE-2018-10916

Detailed vulnerability description

How to mitigate CVE-2018-10916

Sources

Please verify you're human