Vulnerability Details CVE-2018-10916
It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.3%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 7.8
References
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
- https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
- https://github.com/lavv17/lftp/issues/452
- https://usn.ubuntu.com/3731-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
- https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
- https://github.com/lavv17/lftp/issues/452
- https://usn.ubuntu.com/3731-2/
Products affected by CVE-2018-10916
-
cpe:2.3:a:lftp_project:lftp:2.0.0
-
cpe:2.3:a:lftp_project:lftp:2.0.1
-
cpe:2.3:a:lftp_project:lftp:2.0.2
-
cpe:2.3:a:lftp_project:lftp:2.0.3
-
cpe:2.3:a:lftp_project:lftp:2.0.4
-
cpe:2.3:a:lftp_project:lftp:2.0.5
-
cpe:2.3:a:lftp_project:lftp:2.1.0
-
cpe:2.3:a:lftp_project:lftp:2.1.1
-
cpe:2.3:a:lftp_project:lftp:2.1.10
-
cpe:2.3:a:lftp_project:lftp:2.1.2
-
cpe:2.3:a:lftp_project:lftp:2.1.3
-
cpe:2.3:a:lftp_project:lftp:2.1.4
-
cpe:2.3:a:lftp_project:lftp:2.1.5
-
cpe:2.3:a:lftp_project:lftp:2.1.6
-
cpe:2.3:a:lftp_project:lftp:2.1.8
-
cpe:2.3:a:lftp_project:lftp:2.1.9
-
cpe:2.3:a:lftp_project:lftp:2.2.0
-
cpe:2.3:a:lftp_project:lftp:2.2.1
-
cpe:2.3:a:lftp_project:lftp:2.2.2
-
cpe:2.3:a:lftp_project:lftp:2.2.3
-
cpe:2.3:a:lftp_project:lftp:2.2.4
-
cpe:2.3:a:lftp_project:lftp:2.2.6
-
cpe:2.3:a:lftp_project:lftp:2.3.0
-
cpe:2.3:a:lftp_project:lftp:2.3.1
-
cpe:2.3:a:lftp_project:lftp:2.3.10
-
cpe:2.3:a:lftp_project:lftp:2.3.11
-
cpe:2.3:a:lftp_project:lftp:2.3.3
-
cpe:2.3:a:lftp_project:lftp:2.3.4
-
cpe:2.3:a:lftp_project:lftp:2.3.5
-
cpe:2.3:a:lftp_project:lftp:2.3.6
-
cpe:2.3:a:lftp_project:lftp:2.3.7
-
cpe:2.3:a:lftp_project:lftp:2.3.8
-
cpe:2.3:a:lftp_project:lftp:2.3.9
-
cpe:2.3:a:lftp_project:lftp:2.4.0
-
cpe:2.3:a:lftp_project:lftp:2.4.1
-
cpe:2.3:a:lftp_project:lftp:2.4.10
-
cpe:2.3:a:lftp_project:lftp:2.4.11
-
cpe:2.3:a:lftp_project:lftp:2.4.2
-
cpe:2.3:a:lftp_project:lftp:2.4.3
-
cpe:2.3:a:lftp_project:lftp:2.4.4
-
cpe:2.3:a:lftp_project:lftp:2.4.5
-
cpe:2.3:a:lftp_project:lftp:2.4.6
-
cpe:2.3:a:lftp_project:lftp:2.4.7
-
cpe:2.3:a:lftp_project:lftp:2.4.8
-
cpe:2.3:a:lftp_project:lftp:2.4.9
-
cpe:2.3:a:lftp_project:lftp:2.5.0
-
cpe:2.3:a:lftp_project:lftp:2.5.1
-
cpe:2.3:a:lftp_project:lftp:2.5.2
-
cpe:2.3:a:lftp_project:lftp:2.5.3
-
cpe:2.3:a:lftp_project:lftp:2.5.4
-
cpe:2.3:a:lftp_project:lftp:2.6.0
-
cpe:2.3:a:lftp_project:lftp:2.6.1
-
cpe:2.3:a:lftp_project:lftp:2.6.10
-
cpe:2.3:a:lftp_project:lftp:2.6.11
-
cpe:2.3:a:lftp_project:lftp:2.6.12
-
cpe:2.3:a:lftp_project:lftp:2.6.2
-
cpe:2.3:a:lftp_project:lftp:2.6.3
-
cpe:2.3:a:lftp_project:lftp:2.6.4
-
cpe:2.3:a:lftp_project:lftp:2.6.5
-
cpe:2.3:a:lftp_project:lftp:2.6.6
-
cpe:2.3:a:lftp_project:lftp:2.6.7
-
cpe:2.3:a:lftp_project:lftp:2.6.8
-
cpe:2.3:a:lftp_project:lftp:2.6.9
-
cpe:2.3:a:lftp_project:lftp:3.0.0
-
cpe:2.3:a:lftp_project:lftp:3.0.1
-
cpe:2.3:a:lftp_project:lftp:3.0.10
-
cpe:2.3:a:lftp_project:lftp:3.0.11
-
cpe:2.3:a:lftp_project:lftp:3.0.12
-
cpe:2.3:a:lftp_project:lftp:3.0.13
-
cpe:2.3:a:lftp_project:lftp:3.0.2
-
cpe:2.3:a:lftp_project:lftp:3.0.3
-
cpe:2.3:a:lftp_project:lftp:3.0.4
-
cpe:2.3:a:lftp_project:lftp:3.0.5
-
cpe:2.3:a:lftp_project:lftp:3.0.6
-
cpe:2.3:a:lftp_project:lftp:3.0.7
-
cpe:2.3:a:lftp_project:lftp:3.0.8
-
cpe:2.3:a:lftp_project:lftp:3.0.9
-
cpe:2.3:a:lftp_project:lftp:3.1.0
-
cpe:2.3:a:lftp_project:lftp:3.1.1
-
cpe:2.3:a:lftp_project:lftp:3.1.2
-
cpe:2.3:a:lftp_project:lftp:3.1.3
-
cpe:2.3:a:lftp_project:lftp:3.1.4
-
cpe:2.3:a:lftp_project:lftp:3.2.0
-
cpe:2.3:a:lftp_project:lftp:3.2.1
-
cpe:2.3:a:lftp_project:lftp:3.3.0
-
cpe:2.3:a:lftp_project:lftp:3.3.1
-
cpe:2.3:a:lftp_project:lftp:3.3.2
-
cpe:2.3:a:lftp_project:lftp:3.3.3
-
cpe:2.3:a:lftp_project:lftp:3.3.4
-
cpe:2.3:a:lftp_project:lftp:3.3.5
-
cpe:2.3:a:lftp_project:lftp:3.4.0
-
cpe:2.3:a:lftp_project:lftp:3.4.1
-
cpe:2.3:a:lftp_project:lftp:3.4.2
-
cpe:2.3:a:lftp_project:lftp:3.4.3
-
cpe:2.3:a:lftp_project:lftp:3.4.4
-
cpe:2.3:a:lftp_project:lftp:3.4.5
-
cpe:2.3:a:lftp_project:lftp:3.4.6
-
cpe:2.3:a:lftp_project:lftp:3.4.7
-
cpe:2.3:a:lftp_project:lftp:3.5.0
-
cpe:2.3:a:lftp_project:lftp:3.5.1
-
cpe:2.3:a:lftp_project:lftp:3.5.10
-
cpe:2.3:a:lftp_project:lftp:3.5.11
-
cpe:2.3:a:lftp_project:lftp:3.5.12
-
cpe:2.3:a:lftp_project:lftp:3.5.13
-
cpe:2.3:a:lftp_project:lftp:3.5.14
-
cpe:2.3:a:lftp_project:lftp:3.5.15
-
cpe:2.3:a:lftp_project:lftp:3.5.2
-
cpe:2.3:a:lftp_project:lftp:3.5.3
-
cpe:2.3:a:lftp_project:lftp:3.5.4
-
cpe:2.3:a:lftp_project:lftp:3.5.5
-
cpe:2.3:a:lftp_project:lftp:3.5.6
-
cpe:2.3:a:lftp_project:lftp:3.5.7
-
cpe:2.3:a:lftp_project:lftp:3.5.8
-
cpe:2.3:a:lftp_project:lftp:3.5.9
-
cpe:2.3:a:lftp_project:lftp:3.6.0
-
cpe:2.3:a:lftp_project:lftp:3.6.1
-
cpe:2.3:a:lftp_project:lftp:3.6.2
-
cpe:2.3:a:lftp_project:lftp:3.6.3
-
cpe:2.3:a:lftp_project:lftp:3.7.0
-
cpe:2.3:a:lftp_project:lftp:3.7.1
-
cpe:2.3:a:lftp_project:lftp:3.7.10
-
cpe:2.3:a:lftp_project:lftp:3.7.11
-
cpe:2.3:a:lftp_project:lftp:3.7.12
-
cpe:2.3:a:lftp_project:lftp:3.7.13
-
cpe:2.3:a:lftp_project:lftp:3.7.14
-
cpe:2.3:a:lftp_project:lftp:3.7.15
-
cpe:2.3:a:lftp_project:lftp:3.7.2
-
cpe:2.3:a:lftp_project:lftp:3.7.3
-
cpe:2.3:a:lftp_project:lftp:3.7.4
-
cpe:2.3:a:lftp_project:lftp:3.7.6
-
cpe:2.3:a:lftp_project:lftp:3.7.7
-
cpe:2.3:a:lftp_project:lftp:3.7.8
-
cpe:2.3:a:lftp_project:lftp:3.7.9
-
cpe:2.3:a:lftp_project:lftp:4.0.0
-
cpe:2.3:a:lftp_project:lftp:4.0.1
-
cpe:2.3:a:lftp_project:lftp:4.0.10
-
cpe:2.3:a:lftp_project:lftp:4.0.2
-
cpe:2.3:a:lftp_project:lftp:4.0.3
-
cpe:2.3:a:lftp_project:lftp:4.0.4
-
cpe:2.3:a:lftp_project:lftp:4.0.5
-
cpe:2.3:a:lftp_project:lftp:4.0.6
-
cpe:2.3:a:lftp_project:lftp:4.0.7
-
cpe:2.3:a:lftp_project:lftp:4.0.8
-
cpe:2.3:a:lftp_project:lftp:4.0.9
-
cpe:2.3:a:lftp_project:lftp:4.1.0
-
cpe:2.3:a:lftp_project:lftp:4.1.1
-
cpe:2.3:a:lftp_project:lftp:4.1.2
-
cpe:2.3:a:lftp_project:lftp:4.1.3
-
cpe:2.3:a:lftp_project:lftp:4.2.0
-
cpe:2.3:a:lftp_project:lftp:4.2.1
-
cpe:2.3:a:lftp_project:lftp:4.2.2
-
cpe:2.3:a:lftp_project:lftp:4.2.3
-
cpe:2.3:a:lftp_project:lftp:4.3.0
-
cpe:2.3:a:lftp_project:lftp:4.3.1
-
cpe:2.3:a:lftp_project:lftp:4.4.10
-
cpe:2.3:a:lftp_project:lftp:4.4.11
-
cpe:2.3:a:lftp_project:lftp:4.4.12
-
cpe:2.3:a:lftp_project:lftp:4.4.13
-
cpe:2.3:a:lftp_project:lftp:4.4.14
-
cpe:2.3:a:lftp_project:lftp:4.4.15
-
cpe:2.3:a:lftp_project:lftp:4.4.16
-
cpe:2.3:a:lftp_project:lftp:4.4.6
-
cpe:2.3:a:lftp_project:lftp:4.4.7
-
cpe:2.3:a:lftp_project:lftp:4.4.9
-
cpe:2.3:a:lftp_project:lftp:4.5.0
-
cpe:2.3:a:lftp_project:lftp:4.5.1
-
cpe:2.3:a:lftp_project:lftp:4.5.2
-
cpe:2.3:a:lftp_project:lftp:4.5.3
-
cpe:2.3:a:lftp_project:lftp:4.5.4
-
cpe:2.3:a:lftp_project:lftp:4.5.5
-
cpe:2.3:a:lftp_project:lftp:4.5.6
-
cpe:2.3:a:lftp_project:lftp:4.6.0
-
cpe:2.3:a:lftp_project:lftp:4.6.1
-
cpe:2.3:a:lftp_project:lftp:4.6.2
-
cpe:2.3:a:lftp_project:lftp:4.6.3
-
cpe:2.3:a:lftp_project:lftp:4.6.4
-
cpe:2.3:a:lftp_project:lftp:4.6.5
-
cpe:2.3:a:lftp_project:lftp:4.6.6
-
cpe:2.3:a:lftp_project:lftp:4.7.0
-
cpe:2.3:a:lftp_project:lftp:4.7.1
-
cpe:2.3:a:lftp_project:lftp:4.7.2
-
cpe:2.3:a:lftp_project:lftp:4.7.3
-
cpe:2.3:a:lftp_project:lftp:4.7.4
-
cpe:2.3:a:lftp_project:lftp:4.7.5
-
cpe:2.3:a:lftp_project:lftp:4.7.6
-
cpe:2.3:a:lftp_project:lftp:4.7.7
-
cpe:2.3:a:lftp_project:lftp:4.7.8
-
cpe:2.3:a:lftp_project:lftp:4.8.0
-
cpe:2.3:a:lftp_project:lftp:4.8.1
-
cpe:2.3:a:lftp_project:lftp:4.8.2
-
cpe:2.3:a:lftp_project:lftp:4.8.3
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:opensuse:leap:42.3