#VU45122 Permissions, Privileges, and Access Controls in Pure-FTPd - CVE-2011-0988

Cybersecurity Help s.r.o.

Published: 2011-04-18 | Updated: 2025-06-17

Vulnerability identifier: #VU45122

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-0988

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pure-FTPd
Server applications / File servers (FTP/HTTP)

Vendor: PureFTPd.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and SP4, and Enterprise Desktop 10 SP3 and SP4, when running OES Netware extensions, creates a world-writeable directory, which allows local users to overwrite arbitrary files and gain privileges via unspecified vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pure-FTPd: 1.0.22

External links
https://secunia.com/advisories/44039
https://exchange.xforce.ibmcloud.com/vulnerabilities/66618
https://hermes.opensuse.org/messages/7849430

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in Pure-FTPd