CVE-2023-45198

ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command. tnftpd (the portable version of NetBSD ftpd) before 20231001 is also vulnerable.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95	Patch
https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netbsd:ftpd::::::::
	cpe:2.3:a:netbsd:tnftpd::::::::

History

11 Oct 2023, 17:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html -~~	(MISC) https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html - Mailing List, Vendor Advisory
References	~~(MISC) http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95 -~~	(MISC) http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95 - Patch
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:netbsd:tnftpd:::::::: cpe:2.3:a:netbsd:ftpd::::::::
First Time		Netbsd Netbsd tnftpd Netbsd ftpd

05 Oct 2023, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-05 05:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-45198

Mitre link : CVE-2023-45198

CVE.ORG link : CVE-2023-45198

JSON object : View

Products Affected

netbsd

ftpd
tnftpd

CWE

NVD-CWE-noinfo

7.5 /10