CVE-2014-1693

Priority
Low
Description
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP
R15B03 allow context-dependent attackers to inject arbitrary FTP commands
via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist,
(6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin,
(12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start,
(16) append_chunk_start, (17) append, or (18) append_bin command.
References
Bugs
Notes
 jdstrand> requires MITM between erlang system and ftp server or for the web
  server to not do input sanitization
Assigned-to
mdeslaur
Package
Upstream:released (1:16.b.3.1-dfsg-3,1:15.b.1-dfsg-4+deb7u1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):released (1:16.b.3-dfsg-1ubuntu2.2)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1:17.3-dfsg-3ubuntu1)
Ubuntu 17.10 (Artful Aardvark):not-affected (1:17.3-dfsg-3ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1:17.3-dfsg-3ubuntu1)
Patches:
Upstream:https://github.com/erlang/otp/commit/6995e4764d2722ca315a68facd8777f3c8970db7
More Information

Updated: 2018-02-14 16:14:40 UTC (commit 14193)