CompleteFTP path traversal flaw allowed attackers to delete server files – Michmutters
Categories
Technology

CompleteFTP path traversal flaw allowed attackers to delete server files

Security issue fixed in version 22.1.1 of file transfer software

CompleteFTP path traversal flaw allowed attackers to delete server files

A security vulnerability in file transfer software CompleteFTP allowed unauthenticated attackers to delete arbitrary files on affected installations.

Developed by EnterpriseDT of Australia, CompleteFTP is a proprietary FTP and SFTP server for Windows that supports FTPS, SFTP, and HTTPS.

A security researcher with the handle rgod discovered a flaw in the class that results from the lack of proper validation of a user-supplied path prior to using it in file operations.

Read more of the latest enterprise security news

“This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP server,” a security advisory explains.

“An attacker can leverage this vulnerability to delete files in the context of SYSTEM.”

The issue was assigned CVE-2022-2560 and was fixed in CompleteFTP version 22.1.1.

This release includes other security enhancements in the form of SHA-2 cryptographic hash function for RSA signatures and a new format for PuTTY private keys.

The Daily Swig has approached EnterpriseDT for comment.

YOU MIGHT ALSO LIKE GitHub Actions workflow flaws provided write access to projects including Logstash

Leave a Reply

Your email address will not be published. Required fields are marked *