CVE-2007-2165
published 2007-04-22CVE-2007-2165: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks…
PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EPSS
12.52%
95.7th percentile
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.0-24 (bookworm) | proftpd-dfsg 1.3.0-24 (bookworm) |
| proftpd_project | proftpd | <= 1.3.0_rc1 | — |
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vendor_debian5.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5xmx-5p6r-vfrv: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check
ghsa_unreviewed·2022-05-01
CVE-2007-2165 [MEDIUM] GHSA-5xmx-5p6r-vfrv: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
OSV
CVE-2007-2165: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check
osv·2007-04-22·CVSS 5.1
CVE-2007-2165 [MEDIUM] CVE-2007-2165: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
Debian
CVE-2007-2165: proftpd-dfsg - The Auth API in ProFTPD before 20070417, when multiple simultaneous authenticati...
vendor_debian·2007·CVSS 5.1
CVE-2007-2165 [MEDIUM] CVE-2007-2165: proftpd-dfsg - The Auth API in ProFTPD before 20070417, when multiple simultaneous authenticati...
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
Scope: local
bookworm: resolved (fixed in 1.3.0-24)
bullseye: resolved (fixed in 1.3.0-24)
forky: resolved (fixed in 1.3.0-24)
sid: resolved (fixed in 1.3.0-24)
trixie: resolved (fixed in 1.3.0-24)
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255http://bugs.proftpd.org/show_bug.cgi?id=2922http://osvdb.org/34602http://secunia.com/advisories/24867http://secunia.com/advisories/25724http://secunia.com/advisories/27516http://securitytracker.com/id?1017931http://www.mandriva.com/security/advisories?name=MDKSA-2007:130http://www.securityfocus.com/bid/23546http://www.vupen.com/english/advisories/2007/1444https://bugzilla.redhat.com/show_bug.cgi?id=237533https://exchange.xforce.ibmcloud.com/vulnerabilities/33733https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.htmlhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255http://bugs.proftpd.org/show_bug.cgi?id=2922http://osvdb.org/34602http://secunia.com/advisories/24867http://secunia.com/advisories/25724http://secunia.com/advisories/27516http://securitytracker.com/id?1017931http://www.mandriva.com/security/advisories?name=MDKSA-2007:130http://www.securityfocus.com/bid/23546http://www.vupen.com/english/advisories/2007/1444https://bugzilla.redhat.com/show_bug.cgi?id=237533https://exchange.xforce.ibmcloud.com/vulnerabilities/33733https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.html
2007-04-22
Published