Vulnerabilites related to university_of_washington - wu-ftpd
CVE-1999-0997 (GCVE-0-1999-0997)
Vulnerability from cvelistv5
Published
2000-04-25 04:00
Modified
2024-08-01 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T16:55:29.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-377",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2003/dsa-377"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "1999-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2004-09-02T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-377",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2003/dsa-377"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-1999-0997",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-377",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2003/dsa-377"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-1999-0997",
"datePublished": "2000-04-25T04:00:00",
"dateReserved": "1999-12-21T00:00:00",
"dateUpdated": "2024-08-01T16:55:29.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-1999-0202 (GCVE-0-1999-0202)
Vulnerability from cvelistv5
Published
1999-09-29 04:00
Modified
2024-08-01 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T16:27:57.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-1999-0202"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-17T08:24:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cve.org/CVERecord?id=CVE-1999-0202"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-1999-0202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cve.org/CVERecord?id=CVE-1999-0202",
"refsource": "MISC",
"url": "https://www.cve.org/CVERecord?id=CVE-1999-0202"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-1999-0202",
"datePublished": "1999-09-29T04:00:00",
"dateReserved": "1999-06-07T00:00:00",
"dateUpdated": "2024-08-01T16:27:57.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
1997-01-01 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| university_of_washington | wu-ftpd | 2.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:university_of_washington:wu-ftpd:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7CD8D2AC-B757-413B-9450-5E0377B166AE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The GNU tar command, when used in FTP sessions, may allow an attacker to execute arbitrary commands."
}
],
"id": "CVE-1999-0202",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": true,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "1997-01-01T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "https://www.cve.org/CVERecord?id=CVE-1999-0202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.cve.org/CVERecord?id=CVE-1999-0202"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
1999-12-20 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| millenux_gmbh | anonftp | 2.8.1 | |
| university_of_washington | wu-ftpd | 2.4.2 | |
| university_of_washington | wu-ftpd | 2.5.0 | |
| university_of_washington | wu-ftpd | 2.6.0 | |
| redhat | linux | 5.2 | |
| redhat | linux | 6.0 | |
| redhat | linux | 6.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:millenux_gmbh:anonftp:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "54BD613B-52C9-4F57-B1B3-C7E38F829F91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:university_of_washington:wu-ftpd:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "82A23988-1494-4BFD-908A-78FE2BC7C33B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:university_of_washington:wu-ftpd:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "54D2322D-BBA4-4C36-81EC-E37FE8C87689",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:university_of_washington:wu-ftpd:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "688CB1B7-D36C-4DA2-A261-07B23FCE1230",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:linux:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8EED385-8C39-4A40-A507-2EFE7652FB35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2DFA94D5-0139-490C-8257-0751FE9FBAE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:linux:6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2EC4D3AB-38FA-4D44-AF5C-2DCD15994E76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress."
}
],
"id": "CVE-1999-0997",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": true,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "1999-12-20T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2003/dsa-377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2003/dsa-377"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Red Hat does not consider CVE-1999-0997 to be a security vulnerability. The wu-ftpd process chroots itself into the target ftp directory and will only run external commands as the user logged into the ftp server. Because the process chroots itself, an attacker needs a valid login with write access to the ftp server, and even then they could only potentially execute commands as themselves.",
"lastModified": "2006-09-27T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}