cnvd - cnvd-2021-17434

CNVD-2021-17434

Vulnerability from cnvd - Published: 2021-03-15

Title

Monsta FTP存在未明漏洞

Description

Monsta FTP是新西兰Monsta公司的一款轻量级文件管理器。它支持文件传输、文件管理和文档编辑等功能。 Monsta FTP 2.10.1及之前版本中存在安全漏洞，该漏洞源于外部用户可控制文件系统操作中使用的路径，攻击者可利用该漏洞读写任意本地文件，执行远程代码。

Severity

高

Formal description

厂商尚未提供漏洞修补方案，请关注厂商主页及时更新： https://www.monstaftp.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-14057

Impacted products

Name
Monsta Monsta FTP <=2.10.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-14057"
    }
  },
  "description": "Monsta FTP\u662f\u65b0\u897f\u5170Monsta\u516c\u53f8\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u6587\u4ef6\u7ba1\u7406\u5668\u3002\u5b83\u652f\u6301\u6587\u4ef6\u4f20\u8f93\u3001\u6587\u4ef6\u7ba1\u7406\u548c\u6587\u6863\u7f16\u8f91\u7b49\u529f\u80fd\u3002\n\nMonsta FTP 2.10.1\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5916\u90e8\u7528\u6237\u53ef\u63a7\u5236\u6587\u4ef6\u7cfb\u7edf\u64cd\u4f5c\u4e2d\u4f7f\u7528\u7684\u8def\u5f84\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u5199\u4efb\u610f\u672c\u5730\u6587\u4ef6\uff0c\u6267\u884c\u8fdc\u7a0b\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://www.monstaftp.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-17434",
  "openTime": "2021-03-15",
  "products": {
    "product": "Monsta Monsta FTP \u003c=2.10.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-14057",
  "serverity": "\u9ad8",
  "submitTime": "2020-07-02",
  "title": "Monsta FTP\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2020-14057 (GCVE-0-2020-14057)

Vulnerability from cvelistv5 – Published: 2020-07-01 16:13 – Updated: 2024-08-04 12:32

Summary

Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.monstaftp.com/notes/	x_refsource_MISC
	https://github.com/sbaresearch/advisories/tree/pu…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:32:14.681Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.monstaftp.com/notes/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-01T16:13:42",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.monstaftp.com/notes/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-14057",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Monsta FTP 2.10.1 or below allows external control of paths used in filesystem operations. This allows attackers to read and write arbitrary local files, allowing an attacker to gain remote code execution in common deployments."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.monstaftp.com/notes/",
              "refsource": "MISC",
              "url": "https://www.monstaftp.com/notes/"
            },
            {
              "name": "https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write",
              "refsource": "MISC",
              "url": "https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20191203-01_Monsta_FTP_Arbitrary_File_Read_and_Write"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-14057",
    "datePublished": "2020-07-01T16:13:42",
    "dateReserved": "2020-06-12T00:00:00",
    "dateUpdated": "2024-08-04T12:32:14.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-17434

CVE-2020-14057 (GCVE-0-2020-14057)

Tags

Sightings

Nomenclature