CVE-2009-5012 — Improper Access Control in Pyftpdlib

CWE-264 CWE-284 — Improper Access Control7 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.2%

top 58.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

G.rodola Pyftpdlib Debian Python-pyftpdlib

Timeline

PublishedOct 19

Latest updateMay 2

Description

ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages3 packages

▶PyPIg.rodola/pyftpdlib< 0.5.2

▶debiandebian/python-pyftpdlib< python-pyftpdlib 0.5.2-1 (bookworm)

▶NVDg.rodola/pyftpdlib0.5.1+6

🔴Vulnerability Details

OSV

Improper Access Control in pyftpdlib↗2022-05-02

▶

GHSA

Improper Access Control in pyftpdlib↗2022-05-02

▶

OSV

CVE-2009-5012: ftpserver↗2010-10-19

▶

📋Vendor Advisories

Debian

CVE-2009-5012: python-pyftpdlib - ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the...↗2009

▶

💬Community

Bugzilla

CVE-2009-5011 CVE-2009-5012 CVE-2009-5013 CVE-2010-3494 pyftpdlib various flaws [fedora-12]↗2010-10-24

▶

Bugzilla

CVE-2009-5012 pyftpdlib: Ability to list the root directory via an FTP session↗2010-10-24

▶