Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2010-2251

Опубликовано: 06 июл. 2010
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 7.5

Описание

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

РелизСтатусПримечание
dapper

not-affected

code not present
devel

not-affected

4.0.6-1
hardy

released

3.6.1-1ubuntu0.1
jaunty

released

3.7.8-1ubuntu0.1
karmic

released

3.7.15-1ubuntu2.1
lucid

released

4.0.2-1ubuntu0.1
upstream

released

4.0.6

Показывать по

Ссылки на источники

EPSS

Процентиль: 84%
0.02416
Низкий

7.5 High

CVSS2

Связанные уязвимости

redhat логотип

CVE-2010-2251

redhat
около 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

nvd логотип

CVE-2010-2251

nvd
почти 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

debian логотип

CVE-2010-2251

debian
почти 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not pr ...

github логотип

GHSA-96vc-4h75-gh5j

github
около 3 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

oracle-oval логотип

ELSA-2010-0585

oracle-oval
почти 15 лет назад

ELSA-2010-0585: lftp security update (MODERATE)

EPSS

Процентиль: 84%
0.02416
Низкий

7.5 High

CVSS2