CVE-2007-2348

Publication date 27 April 2007

Last updated 24 July 2024


Ubuntu priority

mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as “get” which could overwrite executable files.

Read the notes from the security team

Status

No maintained releases are affected by this CVE.

Package Ubuntu Release Status
lftp 7.04 feisty Ignored
6.10 edgy Ignored
6.06 LTS dapper Ignored

Notes


kees

Already documented as dangerous, upstream is not fixing.