CVE-2020-6857 — MEDIUM (5.5)

Vulnerability Description

CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Taskautomation	Carbonftp	1.4

Related Weaknesses (CWE)

CWE-798 CWE-327

References

http://hyp3rlinx.altervista.orgExploitThird Party Advisory
http://packetstormsecurity.com/files/156015/Neowise-CarbonFTP-1.4-Insecure-ProprExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/157321/Neowise-CarbonFTP-1.4-Insecure-ProprExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2020/Jan/29ExploitMailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2020/Jan/35ExploitMailing ListThird Party Advisory
https://seclists.org/bugtraq/2020/Jan/30ExploitMailing ListThird Party Advisory
http://hyp3rlinx.altervista.orgExploitThird Party Advisory
http://packetstormsecurity.com/files/156015/Neowise-CarbonFTP-1.4-Insecure-ProprExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/157321/Neowise-CarbonFTP-1.4-Insecure-ProprExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2020/Jan/29ExploitMailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2020/Jan/35ExploitMailing ListThird Party Advisory
https://seclists.org/bugtraq/2020/Jan/30ExploitMailing ListThird Party Advisory

FAQ

What is CVE-2020-6857?

CVE-2020-6857 is a vulnerability with a CVSS score of 5.5 (MEDIUM). CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.

How severe is CVE-2020-6857?

CVE-2020-6857 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-6857?

Check the references section above for vendor advisories and patch information. Affected products include: Taskautomation Carbonftp.