CVE Vulnerability

CVE-2007-2165

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

5.1 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 4.9 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

References
Link Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255 Vendor Advisory
http://bugs.proftpd.org/show_bug.cgi?id=2922 Patch
http://www.securityfocus.com/bid/23546
http://securitytracker.com/id?1017931 Vendor Advisory
http://secunia.com/advisories/24867 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=237533
https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.html
http://www.mandriva.com/security/advisories?name=MDKSA-2007:130
http://secunia.com/advisories/25724
http://secunia.com/advisories/27516
http://osvdb.org/34602
http://www.vupen.com/english/advisories/2007/1444
https://exchange.xforce.ibmcloud.com/vulnerabilities/33733
Configurations

Configuration 1

cpe:2.3:a:proftpd_project:proftpd:*:*:*:*:*:*:*:*
Information

Published : 2007-04-22 07:19

Updated : 2017-07-29 01:31

NVD link : CVE-2007-2165

Mitre link : CVE-2007-2165

Products Affected
No products.
CWE
NVD-CWE-Other