CVE-2020-8634 (GCVE-0-2020-8634)
Vulnerability from cvelistv5 – Published: 2020-03-06 23:33 – Updated: 2024-08-04 10:03
VLAI
EPSS
VEX
Summary
Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and world-writable permissions. If a sensitive system file were edited this way, a low-privilege user may escalate privileges to root.
Severity
7.8 (High)
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hooperlabs.xyz/disclosures/cve-2020-8… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and world-writable permissions. If a sensitive system file were edited this way, a low-privilege user may escalate privileges to root."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-06T23:33:20.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8634",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and world-writable permissions. If a sensitive system file were edited this way, a low-privilege user may escalate privileges to root."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php",
"refsource": "MISC",
"url": "https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8634",
"datePublished": "2020-03-06T23:33:20.000Z",
"dateReserved": "2020-02-05T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:03:46.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-8634",
"date": "2026-07-18",
"epss": "0.00426",
"percentile": "0.34593"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wftpserver:wing_ftp_server:6.2.3:*:*:*:*:linux:*:*\", \"matchCriteriaId\": \"A2057B2F-6A30-4493-9E0B-E73C67470D1B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wftpserver:wing_ftp_server:6.2.3:*:*:*:*:macos:*:*\", \"matchCriteriaId\": \"CFBEB412-B9C5-4216-B30C-A2616DE155B7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wftpserver:wing_ftp_server:6.2.3:*:*:*:*:solaris:*:*\", \"matchCriteriaId\": \"29A1D238-E336-4AFB-906D-691D141A1570\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and world-writable permissions. If a sensitive system file were edited this way, a low-privilege user may escalate privileges to root.\"}, {\"lang\": \"es\", \"value\": \"Wing FTP Server versi\\u00f3n v6.2.3 para Linux, macOS y Solaris establece permisos no seguros en archivos modificados dentro de la interfaz de administraci\\u00f3n de archivos HTTP, resultando en que los archivos sean guardados con permisos world-readable y world-writable. Si un archivo confidencial del sistema fue editado de esta manera, un usuario con poco privilegio puede escalar privilegios a root.\"}]",
"id": "CVE-2020-8634",
"lastModified": "2024-11-21T05:39:09.700",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 7.2, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 3.9, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-03-07T00:15:13.240",
"references": "[{\"url\": \"https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-281\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-8634\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-03-07T00:15:13.240\",\"lastModified\":\"2024-11-21T05:39:09.700\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on files modified within the HTTP file management interface, resulting in files being saved with world-readable and world-writable permissions. If a sensitive system file were edited this way, a low-privilege user may escalate privileges to root.\"},{\"lang\":\"es\",\"value\":\"Wing FTP Server versi\u00f3n v6.2.3 para Linux, macOS y Solaris establece permisos no seguros en archivos modificados dentro de la interfaz de administraci\u00f3n de archivos HTTP, resultando en que los archivos sean guardados con permisos world-readable y world-writable. Si un archivo confidencial del sistema fue editado de esta manera, un usuario con poco privilegio puede escalar privilegios a root.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-281\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wftpserver:wing_ftp_server:6.2.3:*:*:*:*:linux:*:*\",\"matchCriteriaId\":\"A2057B2F-6A30-4493-9E0B-E73C67470D1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wftpserver:wing_ftp_server:6.2.3:*:*:*:*:macos:*:*\",\"matchCriteriaId\":\"CFBEB412-B9C5-4216-B30C-A2616DE155B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wftpserver:wing_ftp_server:6.2.3:*:*:*:*:solaris:*:*\",\"matchCriteriaId\":\"29A1D238-E336-4AFB-906D-691D141A1570\"}]}]}],\"references\":[{\"url\":\"https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"redhat_vex": {
"current_release_date": "2025-05-22T16:51:56+00:00",
"cve": "CVE-2020-8634",
"id": "CVE-2020-8634",
"initial_release_date": "2020-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "CVE-2020-8634",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2020/cve-2020-8634.json",
"version": "3"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…