CVE-2008-0604

The LDAP authentication feature in XLight FTP Server before 2.83, when used with some unspecified LDAP servers, does not check for blank passwords, which allows remote attackers to bypass intended access restrictions.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/28755	Patch
http://www.securityfocus.com/bid/27602	Patch
http://www.xlightftpd.com/whatsnew.htm
http://secunia.com/advisories/28755	Patch
http://www.securityfocus.com/bid/27602	Patch
http://www.xlightftpd.com/whatsnew.htm

Configurations

Configuration 1 (hide)

cpe:2.3:a:xlight_ftp_server:xlight_ftp_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 00:42

Type	Values Removed	Values Added
References	~~() http://secunia.com/advisories/28755 - Patch~~	() http://secunia.com/advisories/28755 - Patch
References	~~() http://www.securityfocus.com/bid/27602 - Patch~~	() http://www.securityfocus.com/bid/27602 - Patch
References	~~() http://www.xlightftpd.com/whatsnew.htm -~~	() http://www.xlightftpd.com/whatsnew.htm -

Information

Published : 2008-02-06 12:00

Updated : 2024-11-21 00:42

NVD link : CVE-2008-0604

Mitre link : CVE-2008-0604

CVE.ORG link : CVE-2008-0604

JSON object : View

Products Affected

xlight_ftp_server

xlight_ftp_server

CWE

CWE-255

Credentials Management Errors

{"id": "CVE-2008-0604", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2008-02-06T12:00:00.000", "references": [{"url": "http://secunia.com/advisories/28755", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/27602", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.xlightftpd.com/whatsnew.htm", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/28755", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/27602", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.xlightftpd.com/whatsnew.htm", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "The LDAP authentication feature in XLight FTP Server before 2.83, when used with some unspecified LDAP servers, does not check for blank passwords, which allows remote attackers to bypass intended access restrictions."}, {"lang": "es", "value": "La caracter\u00edstica de autentificaci\u00f3n LDAP en XLight FTP Server en versiones anteriores a 2.83. Cuando se usa con algunos servidores LDAP no especificados, no comprueba que haya contrase\u00f1as en blanco, lo que permite a atacantes remotos evitar las pretendidas restricciones de acceso."}], "lastModified": "2024-11-21T00:42:29.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xlight_ftp_server:xlight_ftp_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F79C2E38-B1A0-44AF-821A-E9400EE5381F", "versionEndIncluding": "2.82"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}