CVE-2018-10916

2018-08-0114:29:00

Google

osv.dev

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:P/A:C

0.005 Low

EPSS

Percentile

74.6%

JSON

It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim’s system.

CPENameOperatorVersion
lftpeqlftp-3-2-0
lftpeqlftp-2-3-4
lftpeq4.7.6-r0
lftpeqlftp-4-1-3
lftpeqlftp-2-6-0
lftpeq4.5.1-r0
lftpeqlftp-2-3-3
lftpeq4.4.3-r0
lftpeqlftp-3-4-2
lftpeqlftp-4-3-0

Name	Operator	Version
lftp	eq	lftp-3-2-0
lftp	eq	lftp-2-3-4
lftp	eq	4.7.6-r0
lftp	eq	lftp-4-1-3
lftp	eq	lftp-2-6-0
lftp	eq	4.5.1-r0
lftp	eq	lftp-2-3-3
lftp	eq	4.4.3-r0
lftp	eq	lftp-3-4-2
lftp	eq	lftp-4-3-0