Information Disclosure in NetBSD FTP Daemon by NetBSD
CVE-2023-45198

7.5HIGH

Key Information:

Vendor: Netbsd
Status: Tnftpd; Ftpd
Vendor: CVE Published:; 5 October 2023

What is CVE-2023-45198?

The NetBSD FTP Daemon prior to version 20230930 and the portable tnftpd version before 20231001 are susceptible to an information disclosure vulnerability. This flaw allows unauthorized users to extract sensitive details about the host filesystem through improperly secured MLSD or MLST commands before authentication occurs. This can potentially expose critical information that could aid further attacks on the system.

References

https://mail-index.netbsd.org/source-changes/2023/09/22/m...

http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpc...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 5, 2023
Vulnerability Reserved
Oct 5, 2023

CVE-2023-45198 Data

JSON

Netbsd

What is CVE-2023-45198?

References

CVSS V3.1

Timeline