Lucene search

[email protected]NVD:CVE-2022-2560

HistoryMar 29, 2023 - 7:15 p.m.

CVE-2022-2560

2023-03-2919:15:11

CWE-22

[email protected]

web.nvd.nist.gov

remote attackers

file deletion

enterprisedt completeftp

server

vulnerability

httpfile class

user-supplied path

file operations

system context

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.019

Percentile

88.6%

JSON

This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP 22.1.0 Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HttpFile class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-17481.

Affected configurations

Nvd

Node

enterprisedtcompleteftp_serverRange<22.1.1

VendorProductVersionCPE
enterprisedtcompleteftp_server*cpe:2.3:a:enterprisedt:completeftp_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
enterprisedt	completeftp_server	*	cpe:2.3:a:enterprisedt:completeftp_server::::::::

References

www.zerodayinitiative.com/advisories/ZDI-22-1032/

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.019

Percentile

88.6%

JSON

Related for NVD:CVE-2022-2560

zdi1 cvelist1 cve1 prion1