CVE-2009-5012: Improper Access Control in pyftpdlib
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.42427%
CWE
Published
5/2/2022
Updated
10/14/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pyftpdlib | pip | <= 0.5.1 | 0.5.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing permission checks for the MLST command. In FTP protocol handling, command-specific methods like ftp_MLST are responsible for access control. The advisory explicitly states MLST didn't require 'l' permission, and FTP command handlers in pyftpdlib are typically implemented as methods prefixed with 'ftp_' in ftpserver.py. The fix would involve adding a permission check in this MLST handler method, which aligns with standard FTP command handling patterns in the library.