AI description
CVE-2026-35025 describes an access control bypass vulnerability found in ProFTPD versions up to and including 1.3.9b and 1.3.10rc2. This flaw enables authenticated FTP users to circumvent Directory Access Control List (ACL) restrictions. The vulnerability is exploited by prefixing paths with `/proc/self/root` within the `RNFR` command handler. This technique allows attackers to leverage unresolved symlink components in `dir_canonical_path()` to cause `dir_check()` to perform lexical path comparisons that bypass configured Directory blocks. Consequently, this permits rename operations on files located in `DenyAll`-protected directories and their subsequent retrieval. It is noted that ProFTPD sessions configured with `DefaultRoot` (chroot) are not susceptible, as chroot modifies the resolution of `/proc/self/root`.
- Description
- ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
- Source
- disclosure@vulncheck.com
- NVD status
- Analyzed
- Products
- proftpd
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Severity
- HIGH
- disclosure@vulncheck.com
- CWE-59
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB7EA00C-FD1D-4028-8DFF-4287D5CA721F",
"versionEndIncluding": "1.3.9b",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:proftpd:proftpd:1.3.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9C535015-D609-494D-B6BE-AFDDF6D6F1DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:proftpd:proftpd:1.3.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D5311C32-9A31-423F-8A97-5EE4CB564EF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]