CVE-2009-5012

ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.

Published Bycve@mitre.org

Published DateOct 19, 2010, 20:00

Affected Versions(1)

pyftpdlib(PyPI)

Introduced0

Fixed0.5.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
pyftpdlib(PyPI)	0	0.5.2	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

http://code.google.com/p/pyftpdlib/issues/detail?id=114
http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
http://code.google.com/p/pyftpdlib/source/detail?r=596
http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE