CVE-2018-10916
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-10916
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10916.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-10916
- Downstream
- Related
- Published
- 2018-08-01T14:29:00Z
- Modified
- 2025-10-14T16:19:28.820395Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00036.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10916
- https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
- https://github.com/lavv17/lftp/issues/452
- https://usn.ubuntu.com/3731-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00010.html
Affected packages
Git / github.com/lavv17/lftp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lavv17/lftp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
lftp-2-2-0
lftp-2-2-0a
lftp-2-2-2
lftp-2-3-0
lftp-2-3-1
lftp-2-3-10
lftp-2-3-11
lftp-2-3-3
lftp-2-3-4
lftp-2-3-5
lftp-2-3-6
lftp-2-3-7
lftp-2-3-8
lftp-2-3-9
lftp-2-4-0
lftp-2-4-1
lftp-2-4-2
lftp-2-4-3
lftp-2-4-4
lftp-2-4-5
lftp-2-4-6
lftp-2-4-7
lftp-2-5-0
lftp-2-5-0a
lftp-2-5-1
lftp-2-5-2
lftp-2-5-3
lftp-2-5-4
lftp-2-6-0
lftp-2-6-1
lftp-2-6-1a
lftp-2-6-2
lftp-2-6-3
lftp-2-6-4
lftp-2-6-5
lftp-2-6-6
lftp-2-6-7
lftp-2-6-8
lftp-2-6-9
lftp-3-0-0
lftp-3-0-1
lftp-3-0-10
lftp-3-0-11
lftp-3-0-12
lftp-3-0-13
lftp-3-0-2
lftp-3-0-3
lftp-3-0-4
lftp-3-0-5
lftp-3-0-6
lftp-3-0-7
lftp-3-0-8
lftp-3-0-9
lftp-3-1-0
lftp-3-1-1
lftp-3-1-2
lftp-3-1-3
lftp-3-2-0
lftp-3-2-1
lftp-3-3-0
lftp-3-3-1
lftp-3-3-2
lftp-3-3-3
lftp-3-3-4
lftp-3-3-5
lftp-3-4-0
lftp-3-4-1
lftp-3-4-2
lftp-3-4-3
lftp-3-4-4
lftp-3-4-5
lftp-3-4-6
lftp-3-4-7
lftp-3-5-0
lftp-3-5-1
lftp-3-5-2
lftp-3-5-3
lftp-3-5-4
lftp-3-5-5
lftp-3-6-0
lftp-3-6-1
lftp-3-6-2
lftp-3-6-3
lftp-3-7-0
lftp-3-7-1
lftp-3-7-10
lftp-3-7-11
lftp-3-7-12
lftp-3-7-13
lftp-3-7-14
lftp-3-7-2
lftp-3-7-3
lftp-3-7-4
lftp-3-7-6
lftp-3-7-7
lftp-3-7-8
lftp-3-7-9
lftp-4-0-0
lftp-4-0-1
lftp-4-0-10
lftp-4-0-2
lftp-4-0-3
lftp-4-0-4
lftp-4-0-5
lftp-4-0-6
lftp-4-0-7
lftp-4-0-8
lftp-4-0-9
lftp-4-1-0
lftp-4-1-1
lftp-4-1-2
lftp-4-1-3
lftp-4-2-0
lftp-4-2-1
lftp-4-2-2
lftp-4-2-3
lftp-4-3-0
lftp-4-3-1
lftp-4-4-10
lftp-4-4-6
lftp-4-4-7
lftp-4-4-9
v4.*
v4.4.10
v4.4.11
v4.4.12
v4.4.13
v4.4.9
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.6.0
v4.6.1
v4.6.2
v4.6.3a
v4.6.4
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.7.7
v4.8.0
v4.8.1
v4.8.2
v4.8.3
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "src/MirrorJob.cc"
},
"deprecated": false,
"digest": {
"line_hashes": [
"244349369390668892595797760314999903510",
"169581960840769298460240584613330507836",
"146173860621971291836711667024800615959",
"265483531252542994341281140526620986764",
"107893587868234888144271310072353078929",
"177756483980309683573063113426513097788",
"288231527058620403338738675996276698652",
"186893300704398393330693503705449305809",
"223082308941403541402446697448846864745",
"246633982740027109863840830855835297073",
"21437594345881515407454960924631063328",
"263669221529071279021023875539765791453",
"173948165701196518792053061803653348440",
"200140341648536081675757215393212583628",
"16159581719100287329306216419001680671",
"190649493202440113952718091698091985904",
"180253791564285096656708248770043869326",
"280245675576124995661559451913257467503",
"200598246181497449339911598896651219367",
"148684542870797260629902892665989974285",
"76746558407179739893964469272790056611",
"29291969798750880168856342168538504014",
"233352089558434665714063550268823556344",
"193065030735708514606678143362412964383",
"193962930268369251624570650910520533367",
"85664116373117485569111148701715145064",
"287534179326712448988736661749163428167",
"305769131065035972015028436761998493066",
"26256688570243295304376914988958272674",
"295539120064017512284362546220385050289",
"207693647384250029276508105234085443761",
"243476246154124037433451746078703124810",
"162797194599769761067522937082633691032",
"200598246181497449339911598896651219367",
"148684542870797260629902892665989974285",
"137882739764527447604796128799422246106",
"229325972409361524971109481980906178033"
],
"threshold": 0.9
},
"id": "CVE-2018-10916-a1d81ad8",
"source": "https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "src/MirrorJob.cc",
"function": "MirrorJob::Do"
},
"deprecated": false,
"digest": {
"length": 14791.0,
"function_hash": "52361239392641749069012112899986580012"
},
"id": "CVE-2018-10916-deba50ee",
"source": "https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992"
}
]
}