CVE-2015-1419
published 2015-01-28CVE-2015-1419: Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
PriorityP337medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
6.73%
93.1th percentile
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vsftpd | < vsftpd 3.0.2-18 (bookworm) | vsftpd 3.0.2-18 (bookworm) |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| vsftpd_project | vsftpd | <= 3.0.2 | — |
| vsftpd_project | vsftpd | >= 0 < 3.0.2-18 | 3.0.2-18 |
| vsftpd_project | vsftpd | >= 0 < 3.0.2-18 | 3.0.2-18 |
| vsftpd_project | vsftpd | >= 0 < 3.0.2-18 | 3.0.2-18 |
| vsftpd_project | vsftpd | >= 0 < 3.0.2-18 | 3.0.2-18 |
Detection & IOCsextracted from sources · hover to see the quote
othervsFTPd ([0-9.]+)
- →Banner-based detection: check FTP banner for 'vsFTPd' string and extract version; flag if version is <= 3.0.2
- →Send a 4-byte null hex probe (00000000) on TCP port 21 and inspect the raw response for the vsFTPd banner to identify vulnerable versions
- →The vulnerability is related to improper parsing of the deny_file configuration directive; audit vsftpd.conf for use of deny_file on servers running vsftpd <= 3.0.2 ↗
- ·Red Hat Product Security determined this is NOT a security vulnerability for RHEL 5/6/7, citing the vsftpd.conf man page which warns deny_file should not be used for serious access control and that filesystem permissions should be preferred instead. ↗
- ·The man page for vsftpd.conf explicitly warns that deny_file is not suitable for serious access control and that care must be taken when files are accessible by multiple names (e.g., via symlinks or hard links). ↗
- ·Debian fixed the issue in vsftpd package version 3.0.2-18 across bookworm, bullseye, forky, sid, and trixie. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2r24-78wj-92qx: Unspecified vulnerability in vsftpd 3
ghsa_unreviewed·2022-05-14
CVE-2015-1419 [MEDIUM] GHSA-2r24-78wj-92qx: Unspecified vulnerability in vsftpd 3
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
OSV
CVE-2015-1419: Unspecified vulnerability in vsftpd 3
osv·2015-01-28·CVSS 5.0
CVE-2015-1419 [MEDIUM] CVE-2015-1419: Unspecified vulnerability in vsftpd 3
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Red Hat
vsftpd: access restrictions bypass
vendor_redhat·2015-01-19·CVSS 5.0
CVE-2015-1419 [MEDIUM] vsftpd: access restrictions bypass
vsftpd: access restrictions bypass
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.
Package: vsftpd (Red Hat Enterprise Linux 5) - Not affected
Package: vsftpd (Red Hat Enterprise Linux 6) - Not affected
Package: vsftpd (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2015-1419: vsftpd - Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to...
vendor_debian·2015·CVSS 5.0
CVE-2015-1419 [MEDIUM] CVE-2015-1419: vsftpd - Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to...
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Scope: local
bookworm: resolved (fixed in 3.0.2-18)
bullseye: resolved (fixed in 3.0.2-18)
forky: resolved (fixed in 3.0.2-18)
sid: resolved (fixed in 3.0.2-18)
trixie: resolved (fixed in 3.0.2-18)
No detection rules found.
Nuclei
vsftpd <= 3.0.2 - Access Restriction Bypass
nuclei·CVSS 5.0
CVE-2015-1419 [MEDIUM] vsftpd <= 3.0.2 - Access Restriction Bypass
vsftpd <= 3.0.2 - Access Restriction Bypass
vsftpd 3.0.2 and earlier contain a vulnerability that allows remote attackers to bypass access restrictions due to improper parsing of the deny_file configuration directive.
Template:
id: CVE-2015-1419
info:
name: vsftpd <= 3.0.2 - Access Restriction Bypass
author: pussycat0x
severity: medium
description: |
vsftpd 3.0.2 and earlier contain a vulnerability that allows remote attackers to bypass access restrictions due to improper parsing of the deny_file configuration directive.
impact: |
Unauthenticated attackers can bypass access restrictions configured via the deny_file directive to access files that should be restricted, potentially exposing sensitive data on vsftpd servers.
remediation: |
Update vsftpd to a version newer than 3.0.2 that p
Bugzilla
CVE-2015-1419 vsftpd: access restrictions bypass [fedora-all]
bugzilla·2015-01-29·CVSS 5.0
CVE-2015-1419 [MEDIUM] CVE-2015-1419 vsftpd: access restrictions bypass [fedora-all]
CVE-2015-1419 vsftpd: access restrictions bypass [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While on
Bugzilla
CVE-2015-1419 vsftpd: access restrictions bypass
bugzilla·2015-01-29·CVSS 5.0
CVE-2015-1419 [MEDIUM] CVE-2015-1419 vsftpd: access restrictions bypass
CVE-2015-1419 vsftpd: access restrictions bypass
Common Vulnerabilities and Exposures assigned an identifier CVE-2015-1419 to the following vulnerability:
Name: CVE-2015-1419
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1419
Assigned: 20150127
Reference: http://secunia.com/advisories/62415
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Discussion:
Created vsftpd tracking bugs for this issue:
Affects: fedora-all [bug 1187043]
---
As per the vsftpd.conf man page:
"This option is very simple, and should not be used for serious access control - the filesystem's permissions should be used in preference. However, this option may be useful in certain virtual user
Wiz
CVE-2025-14242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14242 [CRITICAL] CVE-2025-14242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14242 :
vsftpd vulnerability analysis and mitigation
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.
Source : NVD
## 6.5
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
vsftpd
Linux Fedora
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vsftpd-debuginfo
vsftpd-debugsource
Sources
NVD
AlmaLinux 8 Severity MEDIUM Has Fix Added at: Jan 20, 2026
AlmaLinux 9 Severi
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00023.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00041.htmlhttp://secunia.com/advisories/62415http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00023.htmlhttp://lists.opensuse.org/opensuse-updates/2015-01/msg00041.htmlhttp://secunia.com/advisories/62415
2015-01-28
Published