CVE-2020-26299 : ftp-srv is an open-source FTP server designed to be simple yet configurable. In ftp-srv before version 4.4.0 there is a

ftp-srv is an open-source FTP server designed to be simple yet configurable. In ftp-srv before version 4.4.0 there is a path-traversal vulnerability. Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR. When windows separators exist within the path (`\`), `path.resolve` leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function. The issue is patched in version 4.4.0 (commit 457b859450a37cba10ff3c431eb4aa67771122e3).

Published 2021-02-10 18:15:13

Updated 2021-02-19 17:27:57

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2020-26299

Probability of exploitation activity in the next 30 days: 0.34%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 68 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-26299

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:N	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
9.6	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N	3.1	5.8	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None
6.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N	1.8	4.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2020-26299

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2020-26299

https://github.com/autovance/ftp-srv/pull/224

fix(fs): check resolved path against root by matt-forster · Pull Request #224 · autovance/ftp-srv · GitHub
Patch;Third Party Advisory
https://github.com/autovance/ftp-srv/commit/457b859450a37cba10ff3c431eb4aa67771122e3

fix(fs): check resolved path against root (#224) · autovance/ftp-srv@457b859 · GitHub
Patch;Third Party Advisory
https://www.npmjs.com/package/ftp-srv

ftp-srv - npm
Product;Third Party Advisory

CVEs referencing this url
https://github.com/autovance/ftp-srv/issues/225

Symlink Resolution · Discussion #225 · autovance/ftp-srv · GitHub
Exploit;Third Party Advisory
https://github.com/autovance/ftp-srv/issues/167

Windows: User can escape from root directory · Issue #167 · autovance/ftp-srv · GitHub
Exploit;Patch;Third Party Advisory
https://github.com/autovance/ftp-srv/security/advisories/GHSA-pmw4-jgxx-pcq9

File System Bounds Escape · Advisory · autovance/ftp-srv · GitHub
Exploit;Third Party Advisory

Products affected by CVE-2020-26299

Ftp-srv Project » Ftp-srv » For Node.js
Versions before (<) 4.4.0
cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*
Matching versions

Vulnerability Details : CVE-2020-26299

Exploit prediction scoring system (EPSS) score for CVE-2020-26299

CVSS scores for CVE-2020-26299

CWE ids for CVE-2020-26299

References for CVE-2020-26299

Products affected by CVE-2020-26299