Vulnerability Description
The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Proftpd Project | Proftpd | <= 1.3.0_rc1 |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255Vendor Advisory
- http://bugs.proftpd.org/show_bug.cgi?id=2922Patch
- http://osvdb.org/34602
- http://secunia.com/advisories/24867Vendor Advisory
- http://secunia.com/advisories/25724
- http://secunia.com/advisories/27516
- http://securitytracker.com/id?1017931Vendor Advisory
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:130
- http://www.securityfocus.com/bid/23546
- http://www.vupen.com/english/advisories/2007/1444
- https://bugzilla.redhat.com/show_bug.cgi?id=237533
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33733
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.h
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255Vendor Advisory
- http://bugs.proftpd.org/show_bug.cgi?id=2922Patch
FAQ
What is CVE-2007-2165?
CVE-2007-2165 is a vulnerability with a CVSS score of 5.1 (MEDIUM). The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that re...
How severe is CVE-2007-2165?
CVE-2007-2165 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-2165?
Check the references section above for vendor advisories and patch information. Affected products include: Proftpd Project Proftpd.