CVE-2023-45198

ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command. tnftpd (the portable version of NetBSD ftpd) before 20231001 is also vulnerable.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95	Patch
https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netbsd:ftpd::::::::
	cpe:2.3:a:netbsd:tnftpd::::::::

History

11 Oct 2023, 17:15

Type	Values Removed	Values Added
References	~~(MISC) https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html -~~	(MISC) https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html - Mailing List, Vendor Advisory
References	~~(MISC) http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95 -~~	(MISC) http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95 - Patch
CPE		cpe:2.3:a:netbsd:tnftpd:::::::: cpe:2.3:a:netbsd:ftpd::::::::
CWE		NVD-CWE-noinfo
First Time		Netbsd tnftpd Netbsd Netbsd ftpd
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

05 Oct 2023, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-05 05:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-45198

Mitre link : CVE-2023-45198

CVE.ORG link : CVE-2023-45198

JSON object : View

Products Affected

netbsd

ftpd
tnftpd

CWE

NVD-CWE-noinfo

7.5 /10