CVE-2002-1345 — Improper Neutralization of Leading Special Elements in Fireftp

CWE-160 — Improper Neutralization of Leading Special Elements CWE-22 — Path Traversal CWE-36 — Absolute Path Traversal CWE-37 — Path Traversal: '/absolute/pathname/here'30 documents4 sources

Severity

9.3CRITICALNVD

NVD6.8NVD5.0CNA5.0

EPSS

2.1%

top 15.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fireftp Glub Secure FTP Core FTP +9 more

Timeline

PublishedDec 23

Latest updateMay 17

Description

Directory traversal vulnerabilities in multiple FTP clients on UNIX systems allow remote malicious FTP servers to create or overwrite files as the client user via filenames containing /absolute/path or .. (dot dot) sequences.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages12 packages

▶NVDfireftp/fireftp0.98

▶NVDglub/secure_ftp2.5.15

▶NVDsun/sunos5.7

▶NVDsun/solaris2.6, 7.0+1

▶NVDestsoft/alftp4.1, 5.0+1

Patches

Patch: www.kb.cert.org ↗Patch: www.kb.cert.org ↗

🔴Vulnerability Details

GHSA

GHSA-3mm4-jwgr-q6c5: Directory traversal vulnerability in the FTP client in AceFTP Freeware 3↗2022-05-17

▶

GHSA

GHSA-23mg-qphc-9fg5: Directory traversal vulnerabilities in multiple FTP clients on UNIX systems allow remote malicious FTP servers to create or overwrite files as the cli↗2022-05-03

▶

GHSA

GHSA-8q66-4pqj-jhjr: Directory traversal vulnerability in the FTP client in Glub Tech Secure FTP before 2↗2022-05-01

▶

GHSA

GHSA-22rg-5392-7gh6: Directory traversal vulnerability in the FTP client in ALTools ESTsoft ALFTP 4↗2022-05-01

▶

GHSA

GHSA-6hxg-34v8-xgrp: Directory traversal vulnerability in the FireFTP add-on before 0↗2022-05-01

▶

📐Framework References

CWE

Improper Neutralization of Leading Special Elements↗

▶

CWE

Absolute Path Traversal↗

▶

CWE

Path Traversal: '/absolute/pathname/here'↗

▶