CVE-2014-1693 - Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-depende

CVE-2014-1693

Summary

Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command. <a href="http://cwe.mitre.org/data/definitions/93.html" target="_blank">CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>

References

Vulnerable Configurations

cpe:2.3:a:erlang:erlang\/otp:r15b03:*:*:*:*:*:*:*
cpe:2.3:a:erlang:erlang\/otp:r15b03:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 16-03-2018 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

confirm	http://advisories.mageia.org/MGASA-2014-0553.html https://bugzilla.redhat.com/show_bug.cgi?id=1059331
fedora	FEDORA-2014-15394
mandriva	MDVSA-2015:174
mlist	[oss-security] 20140128 CVE Request: Erlang OTP - ftp module - FTP Command Injection
ubuntu	USN-3571-1

Last major update

16-03-2018 - 01:29

Published

08-12-2014 - 11:59

Last modified

16-03-2018 - 01:29