GHSA-JW37-5GQR-CF9J

Vulnerability from github – Published: 2020-08-17 21:44 – Updated: 2021-01-12 19:30
VLAI?
Summary
Server-Side Request Forgery in ftp-srv
Details

Background

The FTP protocol creates two connections, one for commands and one for transferring data. This second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command.

The PORT command sends the IP and port for the server to connect to the client with.

Issue

Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.

Patches

  • fix: disallow PORT connections to alternate hosts: e449e75219d918c400dec65b4b0759f60476abca

Deprecation notices have been published for older versions.

Workarounds

Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied.

const ftp = new FtpSrv({
  blacklist: ['PORT']
});

References

https://www.npmjs.com/advisories/1445

Credits

Thank you to; @trs for fixing it @andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform @quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas

For more information

If you have any questions or comments about this advisory: * Open an issue at https://github.com/autovance/ftp-srv * Email us directly; security@autovance.com

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ftp-srv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.19.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ftp-srv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ftp-srv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-17T21:42:37Z",
    "nvd_published_at": "2020-08-17T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Background\n\nThe FTP protocol creates two connections, one for commands and one for transferring data.\nThis second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command.\n\nThe PORT command sends the IP and port for the server to connect to the client with.\n\n### Issue\nSince the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.\n\n### Patches\n\n* _fix: disallow PORT connections to alternate hosts_: e449e75219d918c400dec65b4b0759f60476abca\n\nDeprecation notices have been published for older versions.\n\n### Workarounds\n\nBlacklisting the FTP Command `PORT` will prevent the server from exposing this behaviour through active connections until a fix is applied.\n```js\nconst ftp = new FtpSrv({\n  blacklist: [\u0027PORT\u0027]\n});\n```\n\n### References\nhttps://www.npmjs.com/advisories/1445\n\n### Credits\n\nThank you to;\n@trs for fixing it\n@andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform\n@quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue at [https://github.com/autovance/ftp-srv](https://github.com/autovance/ftp-srv)\n* Email us directly; security@autovance.com",
  "id": "GHSA-jw37-5gqr-cf9j",
  "modified": "2021-01-12T19:30:42Z",
  "published": "2020-08-17T21:44:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/autovance/ftp-srv/commit/5508c2346cf23b24c20070ff2e8a47c647d3d5b5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca"
    },
    {
      "type": "WEB",
      "url": "https://github.com/autovance/ftp-srv/commit/fb32b012c3baf48ee804e1dc36544cbba70b00d3"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1445"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/ftp-srv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server-Side Request Forgery in ftp-srv"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.