CVE-2004-1948Invocation of Process Using Visible Sensitive Information in Software Ncftp

CWE-214Invocation of Process Using Visible Sensitive Information6 documents6 sources
Severity
4.6MEDIUMNVD
EPSS
0.1%
top 77.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ncftp Software Ncftp
Timeline
PublishedApr 20
Latest updateApr 29

Description

NcFTP client 3.1.6 and 3.1.7, when the username and password are included in an FTP URL that is provided on the command line, allows local users to obtain sensitive information via "ps aux," which displays the URL in the process list.

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

Debianncftp_software/ncftp< 2:3.1.8-1+3
NVDncftp_software/ncftp13 versions+12

🔴Vulnerability Details

3
GHSA
GHSA-9ww4-42mh-q457: NcFTP client 32022-04-29
CVEList
CVE-2004-1948: NcFTP client 32005-05-10
OSV
CVE-2004-1948: NcFTP client 32004-04-20

📋Vendor Advisories

1
Debian
CVE-2004-1948: ncftp - NcFTP client 3.1.6 and 3.1.7, when the username and password are included in an ...2004

📐Framework References

1
CWE
Invocation of Process Using Visible Sensitive Information
CVE-2004-1948 — Ncftp Software Ncftp vulnerability | cvebase