CVE-2023-45198

HIGH

ftpd < NetBSD-ftpd 20230930 - Info Disclosure

Title source: llm

Description

ftpd before "NetBSD-ftpd 20230930" can leak information about the host filesystem before authentication via an MLSD or MLST command. tnftpd (the portable version of NetBSD ftpd) before 20231001 is also vulnerable.

References (2)

Core 2

Core References

Patch

http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95

Mailing List, Vendor Advisory

https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html

Scores

CVSS v3 7.5

EPSS 0.0022

EPSS Percentile 43.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

Status published

Products (2)

netbsd/ftpd < 2023-09-30

netbsd/tnftpd < 2023-10-01

Published Oct 05, 2023

Tracked Since Feb 18, 2026