CVE-2019-9649

MEDIUM

Core FTP <2.0 Build 674 - Info Disclosure

Title source: llm

Description

An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. Using the MDTM FTP command, a remote attacker can use a directory traversal technique (..\..\) to browse outside the root directory to determine the existence of a file on the operating system, and its last modified date.

Exploits (2)

exploitdb WORKING POC

by Kevin Randall · textdoswindows

https://www.exploit-db.com/exploits/46534

View Code ZIP pw:eip

github NO CODE

by KevinRandall1337 · poc

https://github.com/KevinRandall1337/CVE-Security-Research/tree/master/CVE-2019-9649

View Code ZIP pw:eip

References (6)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107449

[Product, Vendor Advisory] http://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46534

[Exploit, Mailing List, Third Party Advisory] https://seclists.org/fulldisclosure/2019/Mar/25

[Mailing List] http://seclists.org/fulldisclosure/2019/Aug/22

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/154205/CoreFTP-Server-MDTM-Directory-Traversal.html

Scores

CVSS v3 5.3

EPSS 0.2894

EPSS Percentile 96.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

coreftp/core_ftp 2.0

Published Mar 22, 2019

Tracked Since Feb 18, 2026