CVE-2020-26299

描述

### Impact Clients of FTP servers utilizing `ftp-srv` hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, `CWD` and `UPDR`. ### Background When windows separators exist within the path (`\`), `path.resolve` leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.  ### Patches None at the moment. ### Workarounds There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue. ### References Issues: https://github.com/autovance/ftp-srv/issues/167 https://github.com/autovance/ftp-srv/issues/225 ### For more information If you have any questions or comments about this advisory: Open an issue at https://github.com/autovance/ftp-srv. Please email us directly; [email protected].

如何修補 CVE-2020-26299

要修補 CVE-2020-26299,請將受影響套件升級到下列已修補版本。

• —升級至 4.4.0 或更新版本

CVE-2020-26299 正在被利用嗎?

低 — EPSS 為 1.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 4.4.0

參考連結(7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-26299
• WEBgithub.com/autovance/ftp-srv/commit/457b859450a37cba10ff3c431eb4aa67771122e3
• WEBgithub.com/autovance/ftp-srv/issues/167
• WEBgithub.com/autovance/ftp-srv/issues/225
• WEB