Vulnerability Description
Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permission to zip and download (or unzip and upload) files. There are multiple ways to bypass certain permissions by utilizing the zip and unzip features. As a result, users without permission can see files, folders, and hidden files, and can create directories without permission.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cerberusftp | Ftp Server | >= 10.0.0, < 10.0.18 |
Related Weaknesses (CWE)
References
- https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-AnnouncemRelease NotesVendor Advisory
- https://www.cerberusftp.com/zip-unzip-permission-bypass-vulnerability-fixed-in-cVendor Advisory
- https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilitiesExploitThird Party Advisory
- https://support.cerberusftp.com/hc/en-us/community/topics/360000164199-AnnouncemRelease NotesVendor Advisory
- https://www.cerberusftp.com/zip-unzip-permission-bypass-vulnerability-fixed-in-cVendor Advisory
- https://www.doyler.net/security-not-included/cerberus-ftp-vulnerabilitiesExploitThird Party Advisory
FAQ
What is CVE-2020-5196?
CVE-2020-5196 is a vulnerability with a CVSS score of 8.1 (HIGH). Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 allows an authenticated attacker to create files, display hidden files, list directories, and list files without the permiss...
How severe is CVE-2020-5196?
CVE-2020-5196 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5196?
Check the references section above for vendor advisories and patch information. Affected products include: Cerberusftp Ftp Server.