An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBtdzQtamd4eC1wY3E5
File System Bounds Escape
Clients of FTP servers utilizing
ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example,
When windows separators exist within the path (
path.resolve leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.
None at the moment.
There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue.
For more informationhttps://github.com/advisories/GHSA-pmw4-jgxx-pcq9
Source: GitHub Advisory Database
Published: almost 3 years ago
Updated: 10 months ago
Identifiers: GHSA-pmw4-jgxx-pcq9, CVE-2020-26299
Fixed in: 4.4.0