Vulnerability Details CVE-2009-5012
ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.7%
CVSS Severity
CVSS v2 Score 4.0
References
- http://code.google.com/p/pyftpdlib/issues/detail?id=114
- http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
- http://code.google.com/p/pyftpdlib/source/detail?r=596
- http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py
- http://code.google.com/p/pyftpdlib/issues/detail?id=114
- http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
- http://code.google.com/p/pyftpdlib/source/detail?r=596
- http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py
Products affected by CVE-2009-5012
-
cpe:2.3:a:g.rodola:pyftpdlib:*
-
cpe:2.3:a:g.rodola:pyftpdlib:0.1
-
cpe:2.3:a:g.rodola:pyftpdlib:0.1.1
-
cpe:2.3:a:g.rodola:pyftpdlib:0.2.0
-
cpe:2.3:a:g.rodola:pyftpdlib:0.3.0
-
cpe:2.3:a:g.rodola:pyftpdlib:0.4.0
-
cpe:2.3:a:g.rodola:pyftpdlib:0.5.0