PublicDateAtUSN: 2018-08-01
Candidate: CVE-2018-10916
PublicDate: 2018-08-01 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916
 https://ubuntu.com/security/notices/USN-3731-1
 https://ubuntu.com/security/notices/USN-3731-2
Description:
 It has been discovered that lftp up to and including version 4.8.3 does not
 properly sanitize remote file names, leading to a loss of integrity on the
 local system when reverse mirroring is used. A remote attacker may trick a
 user to use reverse mirroring on an attacker controlled FTP server,
 resulting in the removal of all files in the current working directory of
 the victim's system.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905163
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
 https://github.com/lavv17/lftp/issues/452
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_lftp:
 other: https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
upstream_lftp: released (4.8.4-1)
precise/esm_lftp: released (4.3.3-1ubuntu0.1)
trusty_lftp: released (4.4.13-1ubuntu0.1)
trusty/esm_lftp: released (4.4.13-1ubuntu0.1)
xenial_lftp: released (4.6.3a-1ubuntu0.1)
esm-infra/xenial_lftp: released (4.6.3a-1ubuntu0.1)
bionic_lftp: released (4.8.1-1ubuntu0.1)
devel_lftp: not-affected (4.8.4-1)