CVE-2020-26299
EPSS 1.0%File System Bounds Escape
Description
### Impact Clients of FTP servers utilizing `ftp-srv` hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, `CWD` and `UPDR`. ### Background When windows separators exist within the path (`\`), `path.resolve` leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.  ### Patches None at the moment. ### Workarounds There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue. ### References Issues: https://github.com/autovance/ftp-srv/issues/167 https://github.com/autovance/ftp-srv/issues/225 ### For more information If you have any questions or comments about this advisory: Open an issue at https://github.com/autovance/ftp-srv. Please email us directly; [email protected].
Affected packages (1)
- npm/ftp-srvfrom 0, < 4.4.0
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-26299
- WEBhttps://github.com/autovance/ftp-srv/commit/457b859450a37cba10ff3c431eb4aa67771122e3
- WEBhttps://github.com/autovance/ftp-srv/issues/167
- WEBhttps://github.com/autovance/ftp-srv/issues/225
- WEBhttps://github.com/autovance/ftp-srv/pull/224
- WEBhttps://github.com/autovance/ftp-srv/security/advisories/GHSA-pmw4-jgxx-pcq9
- WEBhttps://www.npmjs.com/package/ftp-srv