cbcvebase.
CVE-2019-12815
published 2019-07-19

CVE-2019-12815: An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
57.61%
99.0th percentile
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianproftpd-dfsg< proftpd-dfsg 1.3.6-6 (bookworm)proftpd-dfsg 1.3.6-6 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
proftpdproftpd<= 1.3.5b
siemenssimatic_cp_1543-1_firmware>= 2.0 < 2.22.2

Detection & IOCsextracted from sources · hover to see the quote

port21/TCP
  • Detect exploitation attempts by monitoring FTP traffic for CPFR and CPTO command sequences issued by unauthenticated or anonymous users, which are the attack primitives for CVE-2019-12815.
  • Flag ProFTPD installations with anonymous user access enabled, as this configuration allows unauthenticated exploitation of mod_copy via CPFR/CPTO commands.
  • Source installs of ProFTPD from proftpd.org have anonymous user access enabled by default, making them immediately exploitable without credentials; flag these deployments.
  • Identify vulnerable ProFTPD versions: mod_copy was included by default starting with version 1.3.4; all versions from 1.3.4 through at least 1.3.6 are affected.
  • For Siemens SIMATIC CP 1543-1, monitor FTP traffic on port 21/TCP; the embedded ProFTPD FTP server is vulnerable to CVE-2019-12815 in all versions starting at 2.0 and prior to 2.2.
  • ·ProFTPD 1.3.6 is also affected and does NOT contain the fix despite some reports; there was no patched release version available at time of disclosure.
  • ·EPEL-6 ships proftpd 1.3.3g which does NOT include mod_copy and is therefore not affected by this vulnerability.
  • ·The Siemens SIMATIC CP 1543-1 embedded FTP server is disabled in the default configuration; exploitation requires the FTP server to be explicitly enabled.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_debian10.0LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.