Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-15152

Good to know:

icon
icon

Date: August 17, 2020

ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. In ftp-srv before versions 2.19.6, 3.1.2, and 4.3.4 are vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration. This issue is fixed in version2 2.19.6, 3.1.2, and 4.3.4. More information can be found on the linked advisory. Converted from WS-2020-0100, on 2022-11-08.

Language: JS

Severity Score

Related Resources (8)

https://nvd.nist.gov/vuln/detail/CVE-2020-15152
https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
https://www.npmjs.com/package/ftp-srv
https://www.npmjs.com/advisories/1445
https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
https://github.com/autovance/ftp-srv/commit/5508c2346cf23b24c20070ff2e8a47c647d3d5b5
https://github.com/autovance/ftp-srv/commit/fb32b012c3baf48ee804e1dc36544cbba70b00d3
https://www.mend.io/vulnerability-database/CVE-2020-15152

Severity Score

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

icon

Upgrade Version

Upgrade to version ftp-srv - 4.3.4;ftp-srv - 2.19.6;ftp-srv - 3.1.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us