{"id": "CVE-1999-1562", "bulletinFamily": "NVD", "title": "CVE-1999-1562", "description": "gFTP FTP client 1.13, and other versions before 2.0.0, records a password in plaintext in (1) the log window, or (2) in a log file.", "published": "1999-09-05T04:00:00", "modified": "2008-09-05T20:19:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1562", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/bid/3446", "http://www.securityfocus.com/archive/1/26915", "http://www.debian.org/security/2001/dsa-084"], "cvelist": ["CVE-1999-1562"], "type": "cve", "lastseen": "2020-12-09T19:19:23", "edition": 5, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:13564"]}, {"type": "openvas", "idList": ["OPENVAS:53574"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-084.NASL"]}], "modified": "2020-12-09T19:19:23", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-12-09T19:19:23", "rev": 2}, "vulnersScore": 5.2}, "cpe": ["cpe:/a:gftp:ftp_client:1.13", "cpe:/a:gftp:ftp_client:2.0.0"], "affectedSoftware": [{"cpeName": "gftp:ftp_client", "name": "gftp ftp client", "operator": "le", "version": "2.0.0"}, {"cpeName": "gftp:ftp_client", "name": "gftp ftp client", "operator": "eq", "version": "1.13"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:gftp:ftp_client:1.13:*:*:*:*:*:*:*", "cpe:2.3:a:gftp:ftp_client:2.0.0:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:gftp:ftp_client:2.0.0:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gftp:ftp_client:1.13:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}

{"osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "cvelist": ["CVE-1999-1562"], "edition": 1, "description": "## Vulnerability Description\ngFTP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the password is displayed in plaintext during login or stored in the log file when logging is enabled occurs, which will disclose a user's password information resulting in a loss of confidentiality.\n## Solution Description\nUpgrade to version 2.0.6a-3.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\ngFTP contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the password is displayed in plaintext during login or stored in the log file when logging is enabled occurs, which will disclose a user's password information resulting in a loss of confidentiality.\n## References:\nVendor URL: http://gftp.seul.org/\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q3/0803.html\nISS X-Force ID: 7319\n[CVE-1999-1562](https://vulners.com/cve/CVE-1999-1562)\nBugtraq ID: 3446\n", "modified": "1999-09-05T00:00:00", "published": "1999-09-05T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:13564", "id": "OSVDB:13564", "title": "gFTP FTP Client Cleartext Password Disclosure", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:10", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-1562"], "description": "The remote host is missing an update to gftp\nannounced via advisory DSA 084-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53574", "href": "http://plugins.openvas.org/nasl.php?oid=53574", "type": "openvas", "title": "Debian Security Advisory DSA 084-1 (gftp)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_084_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 084-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Stephane Gaudreault told us that version 2.0.6a of gftp displays the\npassword in plain text on the screen within the log window when it is\nlogging into an ftp server. A malicious colleague who is watching the\nscreen could gain access to the users shell on the remote machine.\n\nThis problem has been fixed by the Security Team in version 2.0.6a-3.2\nfor the stable Debian GNU/Linux 2.2.\n\nWe recommend that you upgrade your gftp package.\";\ntag_summary = \"The remote host is missing an update to gftp\nannounced via advisory DSA 084-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20084-1\";\n\nif(description)\n{\n script_id(53574);\n script_cve_id(\"CVE-1999-1562\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 084-1 (gftp)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"gftp\", ver:\"2.0.6a-3.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-06T09:44:30", "description": "Stephane Gaudreault told us that version 2.0.6a of gftp displays the\n password in plain text on the screen within the log window when it is\n logging into an ftp server. A malicious colleague who is watching the\n screen could gain access to the users shell on the remote machine.\n\nThis problem has been fixed by the Security Team in version 2.0.6a-3.2\nfor the stable Debian GNU/Linux 2.2.", "edition": 24, "published": "2004-09-29T00:00:00", "title": "Debian DSA-084-1 : gftp - Information Retrieval", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-1562"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:gftp", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-084.NASL", "href": "https://www.tenable.com/plugins/nessus/14921", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-084. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14921);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-1999-1562\");\n script_bugtraq_id(3446);\n script_xref(name:\"DSA\", value:\"084\");\n\n script_name(english:\"Debian DSA-084-1 : gftp - Information Retrieval\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stephane Gaudreault told us that version 2.0.6a of gftp displays the\n password in plain text on the screen within the log window when it is\n logging into an ftp server. A malicious colleague who is watching the\n screen could gain access to the users shell on the remote machine.\n\nThis problem has been fixed by the Security Team in version 2.0.6a-3.2\nfor the stable Debian GNU/Linux 2.2.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/97184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-084\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the gftp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gftp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"gftp\", reference:\"2.0.6a-3.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}]}