CVE-2020-26299 – ftp-srv

Package

Manager: npm
Name: ftp-srv
Vulnerable Version: >=0 <4.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00741 pctl0.72071

Details

File System Bounds Escape ### Impact Clients of FTP servers utilizing `ftp-srv` hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, `CWD` and `UPDR`. ### Background When windows separators exist within the path (`\`), `path.resolve` leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.  ### Patches None at the moment. ### Workarounds There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue. ### References Issues: https://github.com/autovance/ftp-srv/issues/167 https://github.com/autovance/ftp-srv/issues/225 ### For more information If you have any questions or comments about this advisory: Open an issue at https://github.com/autovance/ftp-srv. Please email us directly; security@autovance.com.

Metadata

Created: 2021-02-10T18:11:34Z
Modified: 2021-02-11T17:04:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-pmw4-jgxx-pcq9/GHSA-pmw4-jgxx-pcq9.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-pmw4-jgxx-pcq9
Finding: F063
Auto approve: 1