Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp3MzctNWdxci1jZjlq

Server-Side Request Forgery in ftp-srv

Background

The FTP protocol creates two connections, one for commands and one for transferring data.
This second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command.

The PORT command sends the IP and port for the server to connect to the client with.

Issue

Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.

Patches

Deprecation notices have been published for older versions.

Workarounds

Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied.

const ftp = new FtpSrv({
  blacklist: ['PORT']
});

References

https://www.npmjs.com/advisories/1445

Credits

Thank you to;
@trs for fixing it
@andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform
@quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-jw37-5gqr-cf9j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp3MzctNWdxci1jZjlq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago


CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-jw37-5gqr-cf9j, CVE-2020-15152
References: Repository: https://github.com/autovance/ftp-srv
Blast Radius: 18.3

Affected Packages

npm:ftp-srv
Dependent packages: 53
Dependent repositories: 102
Downloads: 21,038 last month
Affected Version Ranges: >= 4.0.0, < 4.3.4, >= 3.0.0, < 3.1.2, >= 1.0.0, < 2.19.6
Fixed in: 4.3.4, 3.1.2, 2.19.6
All affected versions: 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.14.0, 2.15.0, 2.16.0, 2.16.1, 2.16.2, 2.17.0, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.19.4, 2.19.5, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3
All unaffected versions: 0.0.0, 2.19.6, 3.1.2, 4.3.4, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3