CVE-2018-10916

It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
redhatCNA
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
lftp_projectlftp
𝑥
≤ 4.8.3
canonicalubuntu_linux
12.04
opensuseleap
42.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lftp
bullseye
4.8.4-2
fixed
stretch
no-dsa
jessie
no-dsa
bookworm
4.9.2-2
fixed
sid
4.9.2-3
fixed
trixie
4.9.2-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lftp
bionic
Fixed 4.8.1-1ubuntu0.1
released
xenial
Fixed 4.6.3a-1ubuntu0.1
released
trusty
Fixed 4.4.13-1ubuntu0.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
https://github.com/lavv17/lftp/issues/452
https://usn.ubuntu.com/3731-2/
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
https://github.com/lavv17/lftp/issues/452
https://usn.ubuntu.com/3731-2/