CVE-2008-2779

Directory traversal vulnerability in GlobalSCAPE CuteFTP Home 8.2.0 Build 02.26.2008.4 and CuteFTP Pro 8.2.0 Build 04.01.2008.1 allows remote FTP servers to create or overwrite arbitrary files via ..\ (dot dot backslash) sequences in responses to LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder.

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://secunia.com/advisories/29760	Vendor Advisory
http://vuln.sg/cuteftp820-en.html	Exploit
http://www.securitytracker.com/id?1020113
http://www.vupen.com/english/advisories/2008/1653/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/42633

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:globalscape:cuteftp:8.2.0::home:::::
	cpe:2.3:a:globalscape:cuteftp:8.2.0::pro:::::

History

No history.

Information

Published : 2008-06-19 20:41

Updated : 2023-12-10 10:51

NVD link : CVE-2008-2779

Mitre link : CVE-2008-2779

CVE.ORG link : CVE-2008-2779

JSON object : View

Products Affected

globalscape

cuteftp

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2008-2779", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2008-06-19T20:41:00.000", "references": [{"url": "http://secunia.com/advisories/29760", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://vuln.sg/cuteftp820-en.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id?1020113", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2008/1653/references", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42633", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in GlobalSCAPE CuteFTP Home 8.2.0 Build 02.26.2008.4 and CuteFTP Pro 8.2.0 Build 04.01.2008.1 allows remote FTP servers to create or overwrite arbitrary files via ..\\ (dot dot backslash) sequences in responses to LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder."}, {"lang": "es", "value": "Vulnerabilidad de Salto de Directorio en GlobalSCAPE CuteFTP Home 8.2.0 Build0 2.26.2008.4 y CuteFTP Pro 8.2.0 Build 04.01.2008.1, permite en servidores FTP remotos crear y sobrescribir ficheros arbitrariamente mediante secuencias ..\\ (punto punto barra invertida) en respuesta a comandos LIST, un problema relacionado con la CVE-2002-1345. NOTA: puede aprovecharse para ejecuci\u00f3n de c\u00f3digo escribiendo en el fichero de inicio."}], "lastModified": "2017-08-08T01:31:19.263", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:globalscape:cuteftp:8.2.0:*:home:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12174378-67EA-41D0-B91A-911F81722A29"}, {"criteria": "cpe:2.3:a:globalscape:cuteftp:8.2.0:*:pro:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A91A19CF-CEDE-4626-9577-0DF44D2B7586"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}