A vulnerability classified as critical has been found in Alexander V. Lukyanov LFTP up to 2.6.11. Affected is an unknown function of the component Password Handler. The manipulation with an unknown input leads to a missing encryption vulnerability. CWE is classifying the issue as CWE-311. The product does not encrypt sensitive or critical information before storage or transmission. This is going to have an impact on confidentiality, and integrity.

The weakness was published 04/22/2004 by Alex Behar (Website). The advisory is available at secunia.com. The attack needs to approached within the local network. The exploitation doesn't require any form of authentication. Technical details are unknown but a public exploit is available. This vulnerability is assigned to T1600 by the MITRE ATT&CK project.

After before and not just, there has been an exploit disclosed. The exploit is shared for download at securityfocus.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $0-$5k.

Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at gnu.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at X-Force (15943). Further details are available at vuldb.com. Similar entries are available at 629 and 622.

Productinfo

Vendor

• Alexander V. Lukyanov

Name

• LFTP

Version

• 2.6.0
• 2.6.1
• 2.6.2
• 2.6.3
• 2.6.4
• 2.6.5
• 2.6.6
• 2.6.7
• 2.6.8
• 2.6.9
• 2.6.10
• 2.6.11

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion