5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
70.7%
The FTP protocol creates two connections, one for commands and one for transferring data.
This second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command.
The PORT command sends the IP and port for the server to connect to the client with.
Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.
Deprecation notices have been published for older versions.
Blacklisting the FTP Command PORT
will prevent the server from exposing this behaviour through active connections until a fix is applied.
const ftp = new FtpSrv({
blacklist: ['PORT']
});
https://www.npmjs.com/advisories/1445
Thank you to;
@trs for fixing it
@andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform
@quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-jw37-5gqr-cf9j
github.com/autovance/ftp-srv/commit/5508c2346cf23b24c20070ff2e8a47c647d3d5b5
github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
github.com/autovance/ftp-srv/commit/fb32b012c3baf48ee804e1dc36544cbba70b00d3
github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
nvd.nist.gov/vuln/detail/CVE-2020-15152
www.npmjs.com/advisories/1445
www.npmjs.com/package/ftp-srv
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
70.7%