CVE-2009-5012: Improper Access Control in pyftpdlib

May 2, 2022 (updated October 14, 2024)

ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.

References

github.com/advisories/GHSA-h4g7-8m7r-87r9
github.com/giampaolo/pyftpdlib
github.com/pypa/advisory-database/tree/main/vulns/pyftpdlib/PYSEC-2010-9.yaml
nvd.nist.gov/vuln/detail/CVE-2009-5012

Detect and mitigate CVE-2009-5012 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →