CVE-2023-42657 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a dir… | CVSS 9.9 CRITICAL

Description

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system.

Metadata

CVE ID: CVE-2023-42657
State: PUBLISHED
Assigner: ProgressSoftware
Reserved: 2023-09-12 13:30 UTC
Published: 2023-09-27 14:49 UTC
Last updated: 2024-09-24 14:19 UTC
Primary CWE: CWE-22
CWE-22 Improper Limitation of a Pathname to a Restricted Dir…
Vendor / Product: Progress Software Corporation / WS_FTP Server
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Progress Software Corporation	WS_FTP Server	—	8.8.0 < 8.8.2, 8.7.0 < 8.7.4

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (2)