Lucene search

ZdiCVE-2022-2560

HistoryMar 29, 2023 - 7:15 p.m.

CVE-2022-2560

2023-03-2919:15:11

CWE-22

zdi

web.nvd.nist.gov

completeftp

vulnerability

remote attackers

file deletion

enterprisedt

cve-2022-2560

nvd

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.019

Percentile

88.6%

JSON

This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP 22.1.0 Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HttpFile class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-17481.

Affected configurations

Nvd

Vulners

Node

enterprisedtcompleteftp_serverRange<22.1.1

VendorProductVersionCPE
enterprisedtcompleteftp_server*cpe:2.3:a:enterprisedt:completeftp_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
enterprisedt	completeftp_server	*	cpe:2.3:a:enterprisedt:completeftp_server::::::::

CNA Affected

[
  {
    "vendor": "EnterpriseDT",
    "product": "CompleteFTP",
    "versions": [
      {
        "version": "22.1.0",
        "status": "affected"
      }
    ]
  }
]

References

www.zerodayinitiative.com/advisories/ZDI-22-1032/

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.019

Percentile

88.6%

JSON

Related for CVE-2022-2560