5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
23.2%
libcurl FTP(S) protocol will reuse connection even if different CURLOPT_FTP_ACCOUNT
(libcurl) or --ftp-account
(curl) is specified for different connections and the server requests account authentication via reply code 332
. It appears that STRING_FTP_ALTERNATIVE_TO_USER
(libcurl) or --ftp-alternative-to-user
(curl) is also affected and should also result in caching being refused.
echo -e "foo\n" | nc -v -l -p 9998; echo -e "bar\n" | nc -v -l -p 9998
echo -ne "220 a\n331 b\n332 c\n230 d\n257 \"/\"\n229 (|||9998|)\n200 e\n213 4\n150 f\n226 g\n229 (|||9998|)\n213 4\n150 f\n226 g\n" | nc -v -l -p 9999
curl -v --ftp-account alice "ftp://ftp@server:9999/file1" -: --ftp-account bob "ftp://ftp@server:9999/file2"
As a result connection authenticated as user alice
will be used when fetching file2
regardless that user bob
was specified for fetching it.
CURLOPT_FTP_ACCOUNT
or STRING_FTP_ALTERNATIVE_TO_USER
are different.Accessing content with wrong cached credentials.
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
23.2%