CVE-2020-5196

Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cerberusftp:ftp_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:cerberusftp:ftp_server:*:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 05:33

Type Values Removed Values Added
References () https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements - Release Notes, Vendor Advisory () https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-Announcements - Release Notes, Vendor Advisory
References () https://www.cerberusftp.com/zip-unzip-permission-bypass-vulnerability-fixed-in-cerberus-ftp-server-versions-11-0-3-and-10-0-18/ - Vendor Advisory () https://www.cerberusftp.com/zip-unzip-permission-bypass-vulnerability-fixed-in-cerberus-ftp-server-versions-11-0-3-and-10-0-18/ - Vendor Advisory
References () https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities - Exploit, Third Party Advisory () https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilities - Exploit, Third Party Advisory

Information

Published : 2020-01-14 14:15

Updated : 2024-11-21 05:33


NVD link : CVE-2020-5196

Mitre link : CVE-2020-5196

CVE.ORG link : CVE-2020-5196


JSON object : View

Products Affected

cerberusftp

  • ftp_server
CWE
CWE-276

Incorrect Default Permissions