CVE-2007-2165

6 documents6 sources

Severity

5.1MEDIUM

EPSS

2.5%

top 14.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Proftpd Project Proftpd

Timeline

PublishedApr 22

Latest updateMay 1

Description

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages2 packages

▶Debianproftpd-dfsg< 1.3.0-24+3

▶NVDproftpd_project/proftpd1.3.0_rc1

Patches

Patch: bugs.proftpd.org ↗Patch: bugs.proftpd.org ↗

🔴Vulnerability Details

GHSA

GHSA-5xmx-5p6r-vfrv: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check↗2022-05-01

▶

OSV

CVE-2007-2165: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check↗2007-04-22

▶

CVEList

CVE-2007-2165: The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that check↗2007-04-22

▶

📋Vendor Advisories

Debian

CVE-2007-2165: proftpd-dfsg - The Auth API in ProFTPD before 20070417, when multiple simultaneous authenticati...↗2007

▶

💬Community

Bugzilla

CVE-2007-2165: proftpd auth bypass vulnerability↗2007-04-23

▶