Bug 2442644 (CVE-2026-27699)
| Summary: | CVE-2026-27699 basic-ftp: basic-ftp: File overwrite due to path traversal | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | adudiak, caswilli, kaycoth, kshier, stcannon, teagle, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in basic-ftp, an FTP client library. A malicious FTP server can exploit a path traversal vulnerability (CWE-22) within the `downloadToDir()` method. This allows the server to send directory listings containing special sequences that trick the client into writing files to unintended locations on the system. Such an attack could lead to unauthorized file creation or modification, potentially compromising the integrity of the affected system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2442702, 2442704 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-02-25 16:03:40 UTC
|