What is the severity of CVE-2010-2251?

CVE-2010-2251 has a severity rating that could lead to potential exploitation in affected versions of lftp and lwp-download.

How do I fix CVE-2010-2251?

To mitigate CVE-2010-2251, update lftp to the latest version available that addresses this vulnerability.

What products are affected by CVE-2010-2251?

CVE-2010-2251 affects various versions of lftp and lwp-download, particularly versions 2.0.0 to 4.0.5.

When was CVE-2010-2251 disclosed?

CVE-2010-2251 was disclosed in an advisory published by oCERT in 2010.

What types of vulnerabilities does CVE-2010-2251 represent?

CVE-2010-2251 represents vulnerabilities related to unsafe behaviors in file transfer applications lftp and lwp-download.

Vulnerability/
CVE-2010-2251

high

7.5

CWE

12/5/2010

6/7/2010

7/8/2024

CVE-2010-2251: Input Validation

First published: Wed May 12 2010(Updated: )

The draft advisory from oCERT follows: The lftp, wget and lwp-download applications are ftp/http clients and file transfer tools supporting various network protocols. The lwp-download script is shipped along with the libwww-perl library. Unsafe behaviours have been found in lftp and lwp-download handling the Content-Disposition header in conjunction with the 'suggested filename' functionality. Additionally unsafe behaviours have been found in wget and lwp-download in case of HTTP 3xx redirections during file dowloading. The two applications automatically use the URL's filename portion specified in the Location header. Implicitly trusting the suggested filenames results in a saved file that differs from the expected one according to the URL specified by the user. This can be used by a malicious attacker to silently write hidden and/or initialization files under the user's current directory (e.g. .login, .bashrc). The impact of this vulnerability is increased in the case of lftp/lftpget as the default configuration allows file overwrite without prompting confirmation to the user. In case of lftp the get1 command is affected. This command can be invoked directly by the user from lftp's command line interface or indirectly by using the lftpget script, packaged within lftp distribution. Affected version: lftp <= 4.0.5 wget <= 1.12 libwww-perl <= 5.834 Fixed version: lftp >= 4.0.6 wget N/A libwww-perl >= 5.835 Credit: Vulnerability discovered and reported by Hank Leininger and Solar Designer under the Openwall Project, with further analysis by Daniele Bianco of oCERT.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
lftp	=3.1.2
lftp	=2.0.1
lftp	=3.0.3
lftp	=3.3.5
lftp	=2.0.0
lftp	=3.1.0
lftp	=2.0.5
lftp	=2.1.8
lftp	<=4.0.5
lftp	=3.3.1
lftp	=3.0.10
lftp	=2.1.1
lftp	=3.7.1
lftp	=2.4.10
lftp	=3.2.1
lftp	=4.0.0
lftp	=3.4.3
lftp	=3.4.7
lftp	=3.5.6
lftp	=2.3.6
lftp	=2.6.10
lftp	=2.6.11
lftp	=2.2.4
lftp	=2.3.3
lftp	=2.3.7
lftp	=3.7.14
lftp	=3.5.9
lftp	=2.6.0
lftp	=3.5.0
lftp	=4.0.4
lftp	=2.6.4
lftp	=2.4.2
lftp	=3.4.5
lftp	=3.4.0
lftp	=3.5.5
lftp	=2.6.1
lftp	=2.6.9
lftp	=3.5.14
lftp	=3.0.11
lftp	=3.1.1
lftp	=2.3
lftp	=3.0.1
lftp	=3.4.6
lftp	=2.3.9
lftp	=2.5.4
lftp	=3.6.0
lftp	=2.4.0
lftp	=3.5.15
lftp	=3.6.2
lftp	=2.6.7
lftp	=3.0.8
lftp	=2.3.10
lftp	=3.3.4
lftp	=3.5.4
lftp	=3.2.0
lftp	=3.5.10
lftp	=2.0.2
lftp	=2.1.2
lftp	=2.3.1
lftp	=3.7.8
lftp	=2.1.7
lftp	=3.5.3
lftp	=2.5.2
lftp	=2.3.2
lftp	=2.4.9
lftp	=2.2.1
lftp	=2.5.1
lftp	=3.7.7
lftp	=2.3.4
lftp	=2.4.10a
lftp	=4.0.3
lftp	=3.6.3
lftp	=2.1.5
lftp	=2.2.0a
lftp	=2.3.0
lftp	=3.0.5
lftp	=3.0.6
lftp	=3.0.4
lftp	=2.2.5
lftp	=2.6.6
lftp	=2.1.4
lftp	=3.5.12
lftp	=3.3.2
lftp	=2.4.8
lftp	=2.2.2
lftp	=2.6.3
lftp	=3.7.3
lftp	=3.5.11
lftp	=2.2.3
lftp	=3.7.9
lftp	=3.7.11
lftp	=3.5.13
lftp	=3.7.13
lftp	=2.5.3
lftp	=3.0.0
lftp	=3.7.4
lftp	=2.3.11
lftp	=2.4.7
lftp	=2.4.5
lftp	=3.7.12
lftp	=3.4.4
lftp	=2.6.12
lftp	=3.6.1
lftp	=2.1.3
lftp	=3.4.2
lftp	=3.7.5
lftp	=3.3.0
lftp	=2.6.2
lftp	=2.4.6
lftp	=3.7.10
lftp	=3.1.3
lftp	=3.5.8
lftp	=2.0.4
lftp	=3.0.9
lftp	=2.2.6
lftp	=3.5.2
lftp	=2.1.0
lftp	=4.0.2
lftp	=3.4.1
lftp	=3.3.3
lftp	=2.6.8
lftp	=3.5.1
lftp	=2.5.0
lftp	=2.3.8
lftp	=2.4.3
lftp	=2.3.5
lftp	=2.1.6
lftp	=3.0.13
lftp	=2.0.3
lftp	=3.0.2
lftp	=2.4.1
lftp	=3.7.2
lftp	=2.1.10
lftp	=2.6.5
lftp	=3.5.7
lftp	=3.0.7
lftp	=4.0.1
lftp	=2.2.0
lftp	=3.7.6
lftp	=2.1.9
lftp	=3.7.0
lftp	=3.0.12

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2010-2251?
CVE-2010-2251 has a severity rating that could lead to potential exploitation in affected versions of lftp and lwp-download.
How do I fix CVE-2010-2251?
To mitigate CVE-2010-2251, update lftp to the latest version available that addresses this vulnerability.
What products are affected by CVE-2010-2251?
CVE-2010-2251 affects various versions of lftp and lwp-download, particularly versions 2.0.0 to 4.0.5.
When was CVE-2010-2251 disclosed?
CVE-2010-2251 was disclosed in an advisory published by oCERT in 2010.
What types of vulnerabilities does CVE-2010-2251 represent?
CVE-2010-2251 represents vulnerabilities related to unsafe behaviors in file transfer applications lftp and lwp-download.

agent/softwarecombine
agent/first-publish-date
agent/type
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/author
agent/references
agent/weakness
agent/description
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2010-2251
agent/trending
agent/source
agent/tags
collector/nvd-historical
agent/software-canonical-lookup-request
collector/nvd-index
vendor/alexander v. lukyanov
canonical/lftp
version/lftp/3.1.2
version/lftp/2.0.1
version/lftp/3.0.3
version/lftp/3.3.5
version/lftp/2.0.0
version/lftp/3.1.0
version/lftp/2.0.5
version/lftp/2.1.8
version/lftp/4.0.5
version/lftp/3.3.1
version/lftp/3.0.10
version/lftp/2.1.1
version/lftp/3.7.1
version/lftp/2.4.10
version/lftp/3.2.1
version/lftp/4.0.0
version/lftp/3.4.3
version/lftp/3.4.7
version/lftp/3.5.6
version/lftp/2.3.6
version/lftp/2.6.10
version/lftp/2.6.11
version/lftp/2.2.4
version/lftp/2.3.3
version/lftp/2.3.7
version/lftp/3.7.14
version/lftp/3.5.9
version/lftp/2.6.0
version/lftp/3.5.0
version/lftp/4.0.4
version/lftp/2.6.4
version/lftp/2.4.2
version/lftp/3.4.5
version/lftp/3.4.0
version/lftp/3.5.5
version/lftp/2.6.1
version/lftp/2.6.9
version/lftp/3.5.14
version/lftp/3.0.11
version/lftp/3.1.1
version/lftp/2.3
version/lftp/3.0.1
version/lftp/3.4.6
version/lftp/2.3.9
version/lftp/2.5.4
version/lftp/3.6.0
version/lftp/2.4.0
version/lftp/3.5.15
version/lftp/3.6.2
version/lftp/2.6.7
version/lftp/3.0.8
version/lftp/2.3.10
version/lftp/3.3.4
version/lftp/3.5.4
version/lftp/3.2.0
version/lftp/3.5.10
version/lftp/2.0.2
version/lftp/2.1.2
version/lftp/2.3.1
version/lftp/3.7.8
version/lftp/2.1.7
version/lftp/3.5.3
version/lftp/2.5.2
version/lftp/2.3.2
version/lftp/2.4.9
version/lftp/2.2.1
version/lftp/2.5.1
version/lftp/3.7.7
version/lftp/2.3.4
version/lftp/2.4.10a
version/lftp/4.0.3
version/lftp/3.6.3
version/lftp/2.1.5
version/lftp/2.2.0a
version/lftp/2.3.0
version/lftp/3.0.5
version/lftp/3.0.6
version/lftp/3.0.4
version/lftp/2.2.5
version/lftp/2.6.6
version/lftp/2.1.4
version/lftp/3.5.12
version/lftp/3.3.2
version/lftp/2.4.8
version/lftp/2.2.2
version/lftp/2.6.3
version/lftp/3.7.3
version/lftp/3.5.11
version/lftp/2.2.3
version/lftp/3.7.9
version/lftp/3.7.11
version/lftp/3.5.13
version/lftp/3.7.13
version/lftp/2.5.3
version/lftp/3.0.0
version/lftp/3.7.4
version/lftp/2.3.11
version/lftp/2.4.7
version/lftp/2.4.5
version/lftp/3.7.12
version/lftp/3.4.4
version/lftp/2.6.12
version/lftp/3.6.1
version/lftp/2.1.3
version/lftp/3.4.2
version/lftp/3.7.5
version/lftp/3.3.0
version/lftp/2.6.2
version/lftp/2.4.6
version/lftp/3.7.10
version/lftp/3.1.3
version/lftp/3.5.8
version/lftp/2.0.4
version/lftp/3.0.9
version/lftp/2.2.6
version/lftp/3.5.2
version/lftp/2.1.0
version/lftp/4.0.2
version/lftp/3.4.1
version/lftp/3.3.3
version/lftp/2.6.8
version/lftp/3.5.1
version/lftp/2.5.0
version/lftp/2.3.8
version/lftp/2.4.3
version/lftp/2.3.5
version/lftp/2.1.6
version/lftp/3.0.13
version/lftp/2.0.3
version/lftp/3.0.2
version/lftp/2.4.1
version/lftp/3.7.2
version/lftp/2.1.10
version/lftp/2.6.5
version/lftp/3.5.7
version/lftp/3.0.7
version/lftp/4.0.1
version/lftp/2.2.0
version/lftp/3.7.6
version/lftp/2.1.9
version/lftp/3.7.0
version/lftp/3.0.12