CVE-2010-2251 - Vulnerability Details

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Alexander V. Lukyanov	Lftp
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:alexander_v._lukyanov:lftp::::::::
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.0.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.0.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.0.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.0.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.0.4:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.0.5:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.4:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.5:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.6:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.7:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.8:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.9:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.1.10:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.0a:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.4:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.5:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.2.6:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.4:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.5:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.6:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.7:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.8:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.9:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.10:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.3.11:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.5:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.6:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.7:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.8:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.9:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.10:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.4.10a:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.5.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.5.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.5.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.5.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.5.4:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.0:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.1:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.2:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.3:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.4:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.5:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.6:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.7:::::::*
	cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.8:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.9:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.10:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.11:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:2.6.12:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.4:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.5:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.6:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.7:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.8:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.9:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.10:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.11:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.12:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.0.13:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.1.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.1.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.1.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.1.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.2.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.2.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.3.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.3.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.3.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.3.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.3.4:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.3.5:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.4:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.5:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.6:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.4.7:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.4:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.5:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.6:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.7:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.8:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.9:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.10:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.11:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.12:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.13:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.14:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.5.15:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.6.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.6.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.6.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.6.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.4:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.5:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.6:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.7:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.8:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.9:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.10:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.11:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.12:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.13:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:3.7.14:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:4.0.0:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:4.0.1:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:4.0.2:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:4.0.3:::::::*
cpe:2.3:a:alexander_v._lukyanov:lftp:4.0.4:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
lftp-0:3.7.11-4.el5_5.3	cpe:/o:redhat:enterprise_linux:5	RHSA-2010:0585	2010-08-02T00:00:00Z

References

Link	Providers
http://lftp.yar.ru/news.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043597.html
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
http://marc.info/?l=oss-security&m=127411372529485&w=2
http://marc.info/?l=oss-security&m=127432968701342&w=2
http://marc.info/?l=oss-security&m=127611288927500&w=2
http://marc.info/?l=oss-security&m=127620248914170&w=2
http://secunia.com/advisories/40400
http://wiki.rpath.com/Advisories:rPSA-2010-0073
http://www.debian.org/security/2010/dsa-2085
http://www.ocert.org/advisories/ocert-2010-001.html
http://www.securityfocus.com/archive/1/514499/100/0/threaded
http://www.vupen.com/english/advisories/2010/1654
https://bugzilla.redhat.com/show_bug.cgi?id=591580
https://bugzilla.redhat.com/show_bug.cgi?id=602836
https://nvd.nist.gov/vuln/detail/CVE-2010-2251
https://www.cve.org/CVERecord?id=CVE-2010-2251

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-07-06T14:00:00

Updated: 2024-08-07T02:25:07.558Z

Reserved: 2010-06-09T00:00:00

Link: CVE-2010-2251

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2010-07-06T17:17:13.267

Modified: 2025-04-11T00:51:21.963

Link: CVE-2010-2251

Redhat

Severity : Moderate

Publid Date: 2010-05-17T00:00:00Z

Links: CVE-2010-2251 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object