Описание
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.
Ссылки
- PatchThird Party Advisory
- MitigationPatchThird Party Advisory
- ProductThird Party Advisory
- PatchThird Party Advisory
- MitigationPatchThird Party Advisory
- ProductThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.19.6 (исключая)Версия от 3.0.0 (включая) до 3.1.2 (исключая)Версия от 4.0.0 (включая) до 4.3.4 (исключая)
Одно из
cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*
cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*
cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 44%
0.00215
Низкий
9.1 Critical
CVSS3
5 Medium
CVSS2
Дефекты
CWE-918
CWE-918
Связанные уязвимости
EPSS
Процентиль: 44%
0.00215
Низкий
9.1 Critical
CVSS3
5 Medium
CVSS2
Дефекты
CWE-918
CWE-918