漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
FTP Command Injection via CRLF in basic-ftp
Vulnerability Description
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Vulnerability Title
Basic FTP 安全漏洞
Vulnerability Description
Basic FTP是Patrick Juchli个人开发者的一个Node.js的FTP客户端库。 Basic FTP 5.2.1之前版本存在安全漏洞,该漏洞源于文件路径参数中可能包含CRLF序列,可能导致FTP命令注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A