Vulnerabilities > CVE-2020-15152 - Server-Side Request Forgery (SSRF) vulnerability in Ftp-Srv Project Ftp-Srv

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
ftp-srv-project
CWE-918
critical

Summary

ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.

Vulnerable Configurations

Part Description Count
Application
Ftp-Srv_Project
65

Common Weakness Enumeration (CWE)