CVE-2020-15152 – ftp-srv

Package

Manager: npm
Name: ftp-srv
Vulnerable Version: >=0 <2.19.6 || >=3.0.0 <3.1.2 || >=4.0.0 <4.3.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00215 pctl0.44025

Details

Server-Side Request Forgery in ftp-srv ### Background The FTP protocol creates two connections, one for commands and one for transferring data. This second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command. The PORT command sends the IP and port for the server to connect to the client with. ### Issue Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere. ### Patches * _fix: disallow PORT connections to alternate hosts_: e449e75219d918c400dec65b4b0759f60476abca Deprecation notices have been published for older versions. ### Workarounds Blacklisting the FTP Command `PORT` will prevent the server from exposing this behaviour through active connections until a fix is applied. ```js const ftp = new FtpSrv({ blacklist: ['PORT'] }); ``` ### References https://www.npmjs.com/advisories/1445 ### Credits Thank you to; @trs for fixing it @andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform @quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas ### For more information If you have any questions or comments about this advisory: * Open an issue at [https://github.com/autovance/ftp-srv](https://github.com/autovance/ftp-srv) * Email us directly; security@autovance.com

Metadata

Created: 2020-08-17T21:44:54Z
Modified: 2021-01-12T19:30:42Z
Source: MANUAL
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-jw37-5gqr-cf9j
Finding: F100
Auto approve: 1