Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(deps): update dependency ftp-srv to 4.4.0 [security] - autoclosed #353

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency ftp-srv to 4.4.0 [security] - autoclosed #353

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Feb 10, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change
ftp-srv 4.1.0 -> 4.4.0

GitHub Vulnerability Alerts

CVE-2020-15152

Background

The FTP protocol creates two connections, one for commands and one for transferring data.
This second data connection can be created in two ways, on the server by sending the PASV command, or on the client by sending the PORT command.

The PORT command sends the IP and port for the server to connect to the client with.

Issue

Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere.

Patches

  • fix: disallow PORT connections to alternate hosts: e449e75219d918c400dec65b4b0759f60476abca

Deprecation notices have been published for older versions.

Workarounds

Blacklisting the FTP Command PORT will prevent the server from exposing this behaviour through active connections until a fix is applied.

const ftp = new FtpSrv({
  blacklist: ['PORT']
});

References

https://www.npmjs.com/advisories/1445

Credits

Thank you to;
@​trs for fixing it
@​andreeleuterio for reporting it to us for an anonymous user (Vincent) through the NPM platform
@​quiquelhappy for bringing it to our attention after it slipped through the cracks during Christmas

For more information

If you have any questions or comments about this advisory:

CVE-2020-26299

Impact

Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR.

Background

When windows separators exist within the path (\), path.resolve leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function.

Screen Shot 2020-12-15 at 6 42 52 PM

Patches

None at the moment.

Workarounds

There are no workarounds for windows servers. Hosting the server on a different OS mitigates the issue.

References

Issues:
QuorumDMS/ftp-srv#167
QuorumDMS/ftp-srv#225

For more information

If you have any questions or comments about this advisory:
Open an issue at https://github.com/autovance/ftp-srv.
Please email us directly; security@autovance.com.

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-ftp-srv-vulnerability branch 2 times, most recently from 1a31994 to 342e037 Compare February 22, 2021 12:46
@renovate renovate bot changed the title fix(deps): update dependency ftp-srv to v4.4.0 [security] fix(deps): update dependency ftp-srv to ^4.4.0 [security] Feb 22, 2021
@renovate renovate bot force-pushed the renovate/npm-ftp-srv-vulnerability branch from 342e037 to 3c89a5f Compare February 25, 2021 12:23
@renovate renovate bot changed the title fix(deps): update dependency ftp-srv to ^4.4.0 [security] fix(deps): update dependency ftp-srv to v4.4.0 [security] Feb 25, 2021
@renovate renovate bot force-pushed the renovate/npm-ftp-srv-vulnerability branch from 3c89a5f to e0d2c2e Compare February 26, 2021 10:30
@renovate renovate bot force-pushed the renovate/npm-ftp-srv-vulnerability branch from e0d2c2e to 11ec82f Compare February 28, 2021 14:25
@renovate
Copy link
Author

renovate bot commented Mar 3, 2021
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻️ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you check the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: nodejs-ftp-srv/package-lock.json
Unable to find image 'renovate/node:latest' locally
latest: Pulling from renovate/node
83ee3a23efb7: Already exists
db98fc6f11f0: Already exists
f611acd52c6c: Already exists
d8e4ea658c55: Pulling fs layer
932fa5380488: Pulling fs layer
e74dab7dda0f: Pulling fs layer
2c363adfad25: Pulling fs layer
745d42a64bb0: Pulling fs layer
9907ab06693d: Pulling fs layer
2c363adfad25: Waiting
745d42a64bb0: Waiting
9907ab06693d: Waiting
d8e4ea658c55: Verifying Checksum
d8e4ea658c55: Download complete
932fa5380488: Verifying Checksum
932fa5380488: Download complete
d8e4ea658c55: Pull complete
745d42a64bb0: Verifying Checksum
745d42a64bb0: Download complete
e74dab7dda0f: Verifying Checksum
e74dab7dda0f: Download complete
932fa5380488: Pull complete
2c363adfad25: Verifying Checksum
2c363adfad25: Download complete
9907ab06693d: Verifying Checksum
9907ab06693d: Download complete
e74dab7dda0f: Pull complete
2c363adfad25: Pull complete
745d42a64bb0: Pull complete
9907ab06693d: Pull complete
Digest: sha256:f044ef6ae8bc37c9d239d1a59c9a29414cbb80a0f195135a59b763bd631c3854
Status: Downloaded newer image for renovate/node:latest

@renovate renovate bot changed the title fix(deps): update dependency ftp-srv to v4.4.0 [security] chore(deps): update dependency ftp-srv to 4.4.0 [security] Mar 4, 2021
@renovate renovate bot changed the title chore(deps): update dependency ftp-srv to 4.4.0 [security] chore(deps): update dependency ftp-srv to 4.4.0 [security] - autoclosed Mar 20, 2021
@renovate renovate bot closed this Mar 20, 2021
@renovate renovate bot deleted the renovate/npm-ftp-srv-vulnerability branch March 20, 2021 14:14
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot