CVE-2009-5012
published 2010-10-19CVE-2009-5012: ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended…
PriorityP417medium4CVSS 2.0
AVNACLAuSCPINAN
EPSS
1.03%
59.4th percentile
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-pyftpdlib | < python-pyftpdlib 0.5.2-1 (bookworm) | python-pyftpdlib 0.5.2-1 (bookworm) |
| g.rodola | pyftpdlib | <= 0.5.1 | — |
| g.rodola | pyftpdlib | — | — |
| g.rodola | pyftpdlib | — | — |
| g.rodola | pyftpdlib | — | — |
| g.rodola | pyftpdlib | — | — |
| g.rodola | pyftpdlib | — | — |
| g.rodola | pyftpdlib | — | — |
| g.rodola | pyftpdlib | >= 0 < 0.5.2 | 0.5.2 |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.0MEDIUM
vendor_debian4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Access Control in pyftpdlib
osv·2022-05-02
CVE-2009-5012 [HIGH] Improper Access Control in pyftpdlib
Improper Access Control in pyftpdlib
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
GHSA
Improper Access Control in pyftpdlib
ghsa·2022-05-02
CVE-2009-5012 [HIGH] CWE-284 Improper Access Control in pyftpdlib
Improper Access Control in pyftpdlib
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
OSV
CVE-2009-5012: ftpserver
osv·2010-10-19·CVSS 4.0
CVE-2009-5012 [MEDIUM] CVE-2009-5012: ftpserver
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
Debian
CVE-2009-5012: python-pyftpdlib - ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the...
vendor_debian·2009·CVSS 4.0
CVE-2009-5012 [MEDIUM] CVE-2009-5012: python-pyftpdlib - ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the...
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
Scope: local
bookworm: resolved (fixed in 0.5.2-1)
bullseye: resolved (fixed in 0.5.2-1)
forky: resolved (fixed in 0.5.2-1)
sid: resolved (fixed in 0.5.2-1)
trixie: resolved (fixed in 0.5.2-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-5011 CVE-2009-5012 CVE-2009-5013 CVE-2010-3494 pyftpdlib various flaws [fedora-12]
bugzilla·2010-10-24·CVSS 4.3
CVE-2009-5011 [MEDIUM] CVE-2009-5011 CVE-2009-5012 CVE-2009-5013 CVE-2010-3494 pyftpdlib various flaws [fedora-12]
CVE-2009-5011 CVE-2009-5012 CVE-2009-5013 CVE-2010-3494 pyftpdlib various flaws [fedora-12]
fedora-12 tracking bug for pyftpdlib: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
Adding parent bug CVE-2009-5012
New bodhi update url:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=646169,646171
---
Adding parent bug CVE-2009-5013
New bodhi update url:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=646169,646171,646174
---
Adding parent bug CVE-2010-3494
New bodhi update url:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=646169,646171,646174,646177
---
pyftp
Bugzilla
CVE-2009-5012 pyftpdlib: Ability to list the root directory via an FTP session
bugzilla·2010-10-24·CVSS 4.0
CVE-2009-5012 [MEDIUM] CVE-2009-5012 pyftpdlib: Ability to list the root directory via an FTP session
CVE-2009-5012 pyftpdlib: Ability to list the root directory via an FTP session
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5012 to
the following vulnerability:
ftpserver.py in pyftpdlib before 0.5.2 does not require the l
permission for the MLST command, which allows remote authenticated
users to bypass intended access restrictions and list the root
directory via an FTP session.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5012
[2] http://code.google.com/p/pyftpdlib/issues/detail?id=114
[3] http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
[4] http://code.google.com/p/pyftpdlib/source/detail?r=596
[5] http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py
Affected ve
http://code.google.com/p/pyftpdlib/issues/detail?id=114http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORYhttp://code.google.com/p/pyftpdlib/source/detail?r=596http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.pyhttp://code.google.com/p/pyftpdlib/issues/detail?id=114http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORYhttp://code.google.com/p/pyftpdlib/source/detail?r=596http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py
2010-10-19
Published