CVE-2020-5196
published 2020-01-14CVE-2020-5196: Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list…
PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.20%
64.4th percentile
Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cerberusftp | ftp_server | >= 10.0.0 < 10.0.18 | 10.0.18 |
| cerberusftp | ftp_server | >= 11.0.0 < 11.0.3 | 11.0.3 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcementshttps://www.cerberusftp.com/zip-unzip-permission-bypass-vulnerability-fixed-in-cerberus-ftp-server-versions-11-0-3-and-10-0-18/https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilitieshttps://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcementshttps://www.cerberusftp.com/zip-unzip-permission-bypass-vulnerability-fixed-in-cerberus-ftp-server-versions-11-0-3-and-10-0-18/https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities
2020-01-14
Published