CVE-2023-45198

HIGH

ftpd < NetBSD-ftpd 20230930 - Info Disclosure

Title source: llm

Description

ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command. tnftpd (the portable version of NetBSD ftpd) before 20231001 is also vulnerable.

References (2)

[Patch] http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95

[Mailing List, Vendor Advisory] https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html

Scores

CVSS v3 7.5

EPSS 0.0022

EPSS Percentile 43.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

Status published

Affected Products (2)

netbsd/ftpd < 2023-09-30

netbsd/tnftpd < 2023-10-01

Timeline

Published Oct 05, 2023

Tracked Since Feb 18, 2026