CVE-2022-2560

Опубликовано: 29 мар. 2023

Источник: nvd

CVSS3: 8.2

CVSS3: 9.1

EPSS Средний

Описание

This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP 22.1.0 Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HttpFile class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-17481.

Ссылки

https://www.zerodayinitiative.com/advisories/ZDI-22-1032/
Third Party Advisory
VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-1032/
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:enterprisedt:completeftp_server:*:*:*:*:*:*:*:*

Версия до 22.1.1 (исключая)

EPSS

Процентиль: 98%

0.57914

Средний

8.2 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-5xr5-9vfx-374w

CVSS3: 9.1

github

почти 3 года назад

This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP CompleteFTP Server v22.1.0 Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HttpFile class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-17481.

EPSS

Процентиль: 98%

0.57914

Средний

8.2 High

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-22