Vulnerabilities > CVE-2020-15152 - Server-Side Request Forgery (SSRF) vulnerability in Ftp-Srv Project Ftp-Srv
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
- https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
- https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
- https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
- https://www.npmjs.com/package/ftp-srv
- https://www.npmjs.com/package/ftp-srv