5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
6.5 Medium
AI Score
Confidence
Low
0.806 High
EPSS
Percentile
98.3%
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
CPE | Name | Operator | Version |
---|---|---|---|
proftpd_project:proftpd | proftpd project proftpd | le | 1.3.0_rc1 |
bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255
bugs.proftpd.org/show_bug.cgi?id=2922
osvdb.org/34602
secunia.com/advisories/24867
secunia.com/advisories/25724
secunia.com/advisories/27516
securitytracker.com/id?1017931
www.mandriva.com/security/advisories?name=MDKSA-2007:130
www.securityfocus.com/bid/23546
www.vupen.com/english/advisories/2007/1444
bugzilla.redhat.com/show_bug.cgi?id=237533
exchange.xforce.ibmcloud.com/vulnerabilities/33733
www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.html