CVE-2020-15152

ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory.
Configurations

Configuration 1

cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*
cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*
cpe:2.3:a:ftp-srv_project:ftp-srv:*:*:*:*:*:node.js:*:*

Information

Published : 2020-08-17 10:15

Updated : 2021-05-05 02:02


NVD link : CVE-2020-15152

Mitre link : CVE-2020-15152

Products Affected
No products.
CWE
CWE-918

Server-Side Request Forgery (SSRF)