Vulnerabilities > CVE-2020-11707 - Incorrect Authorization vulnerability in Provideserver Provide FTP Server 13.1

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

provideserver

CWE-863

NVD

Published: 2020-04-12

Updated: 2021-07-21

Summary

An issue was discovered in ProVide (formerly zFTPServer) through 13.1. It doesn't enforce permission over Windows Symlinks or Junctions. As a result, a low-privileged user (non-admin) can craft a Junction Link in a directory he has full control of, breaking out of the sandbox.

Vulnerable Configurations

Part	Description	Count
Application	Provideserver Provideserver Provide FTP Server - Provideserver Provide FTP Server 13.1	2

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://www.provideserver.com/security/
https://github.com/belong2yourself/vulnerabilities/tree/master/ProVide/Sandbox%20Escape%20via%20Symlink%20or%20Junction