Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2007-2348 | First vendor Publication | 2007-04-27 |
Vendor | Cve | Last vendor Modification | 2023-11-07 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2348 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10806 | |||
Oval ID: | oval:org.mitre.oval:def:10806 | ||
Title: | mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. | ||
Description: | mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-2348 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22494 | |||
Oval ID: | oval:org.mitre.oval:def:22494 | ||
Title: | ELSA-2009:1278: lftp security and bug fix update (Low) | ||
Description: | mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:1278-02 CVE-2007-2348 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | lftp |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:28929 | |||
Oval ID: | oval:org.mitre.oval:def:28929 | ||
Title: | RHSA-2009:1278 -- lftp security and bug fix update (Low) | ||
Description: | An updated lftp package that fixes one security issue and various bugs is now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:1278 CESA-2009:1278-CentOS 5 CVE-2007-2348 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | lftp |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for lftp CESA-2009:1278 centos5 i386 File : nvt/gb_CESA-2009_1278_lftp_centos5_i386.nasl |
2009-09-21 | Name : CentOS Security Advisory CESA-2009:1278 (lftp) File : nvt/ovcesa2009_1278.nasl |
2009-09-09 | Name : RedHat Security Advisory RHSA-2009:1278 File : nvt/RHSA_2009_1278.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
35596 | lftp mirror --script Arbitrary Code Execution Weakness |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20090902_lftp_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-1278.nasl - Type : ACT_GATHER_INFO |
2009-09-02 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1278.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2023-11-07 21:47:58 |
|
2023-02-13 09:29:27 |
|
2021-05-05 01:03:32 |
|
2021-05-04 12:05:42 |
|
2021-04-22 01:06:16 |
|
2020-05-23 01:38:08 |
|
2020-05-23 00:19:40 |
|
2017-10-11 09:23:56 |
|
2016-04-26 16:03:56 |
|
2014-02-17 10:39:59 |
|
2013-05-11 10:24:05 |
|
2013-01-23 13:21:35 |
|