CVE-2010-2073

auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and passwords for the (1) test, (2) user, and (3) roxon accounts, which allows remote attackers to read arbitrary files from the FTP server.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776	Mailing List Patch
http://www.openwall.com/lists/oss-security/2010/06/13/2	Mailing List
http://www.securityfocus.com/bid/40839	Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/59431	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:debian:pyftpd:0.8.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2010-06-16 20:30

Updated : 2024-02-13 16:44

NVD link : CVE-2010-2073

Mitre link : CVE-2010-2073

CVE.ORG link : CVE-2010-2073

JSON object : View

Products Affected

debian

pyftpd

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2010-2073", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2010-06-16T20:30:02.577", "references": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776", "tags": ["Mailing List", "Patch"], "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2010/06/13/2", "tags": ["Mailing List"], "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/40839", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/59431", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and passwords for the (1) test, (2) user, and (3) roxon accounts, which allows remote attackers to read arbitrary files from the FTP server."}, {"lang": "es", "value": "auth_db_config.py en Pyftpd v0.8.4 contiene nombres de usuario y contrase\u00f1as embebidas en el c\u00f3digo para las cuentas (1) test, (2) user, y (3) roxon, lo que permite a atacantes remotos leer archivos de su elecci\u00f3n del servidor FTP."}], "lastModified": "2024-02-13T16:44:33.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:debian:pyftpd:0.8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0248E1A-E990-489B-9DCF-1DE6AA22E18F"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}