GHSA-r4m5-47cq-6qg8 – ftp-srv

Package

Manager: npm
Name: ftp-srv
Vulnerable Version: >=1.0.0 <2.19.6 || >=3.0.0 <3.1.2 || >=4.0.0 <4.3.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:H/SI:H/SA:L

EPSS: N/A pctlN/A

Details

Server-Side Request Forgery in ftp-srv All versions of `ftp-srv` from v1.0.0 onward to v4.3.3 are vulnerable to Server-Side Request Forgery (SSRF). The package fails to prevent remote clients to access other resources in the network, for example when connecting to the server through telnet. This allows attackers to access any network resources available to the server, including private resources in the hosting environment. ## Recommendation Upgrade to patched versions `^2.19.6, ^3.1.2, ^4.3.4` ## Workarounds Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied. ``` const ftp = new FtpSrv({ blacklist: ['PORT'] }); ```

Metadata

Created: 2020-09-04T17:25:13Z
Modified: 2024-01-08T21:29:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-r4m5-47cq-6qg8/GHSA-r4m5-47cq-6qg8.json
CWE IDs: ["CWE-918"]
Alternative ID: N/A
Finding: F100
Auto approve: 1