Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2008-7263

CVE-2008-7263:
Improper Authentication in pyftpdlib

7.3

CVSS Score

Basic Information

CVE ID
CVE-2008-7263
GHSA ID
GHSA-q6w2-jxcm-2crj
EPSS Score
-
CWE
CWE-287
Published
5/17/2022
Updated
10/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyftpdlibpip< 0.5.00.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing delay mechanisms in authentication handling. The FTPHandler.ftp_PASS function in ftpserver.py is directly responsible for processing password authentication. Pre-0.5.0 versions lacked any artificial delay after failed login attempts, as evidenced by CVE description and associated GitHub issue #73 discussing missing RFC-2577 recommended delays. This function's immediate response to invalid credentials allowed unlimited rapid password guessing. The first patched version (0.5.0) would logically add delay logic in this authentication flow, though exact commit diffs are unavailable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*tps*rv*r.py in py*tp*li* ***or* *.*.* *o*s not **l*y its r*spons* **t*r r***ivin* *n inv*li* lo*in *tt*mpt, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to o*t*in ****ss vi* * *rut*-*or** *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom missin* **l*y m****nisms in *ut**nti**tion **n*lin*. T** *TP**n*l*r.*tp_P*SS *un*tion in *tps*rv*r.py is *ir**tly r*sponsi*l* *or pro**ssin* p*sswor* *ut**nti**tion. Pr*-*.*.* v*rsions l**k** *ny *rti*i*i*l **l*y **t*r **