CVE-2014-1693
high
CVSS v3
—
CVSS v2
7.5
VIR risk
7.5
Description
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-1693
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1:16.b.3.1-dfsg-3 |
| debian | bullseye | fixed | 1:16.b.3.1-dfsg-3 |
| debian | forky | fixed | 1:16.b.3.1-dfsg-3 |
| debian | sid | fixed | 1:16.b.3.1-dfsg-3 |
| debian | trixie | fixed | 1:16.b.3.1-dfsg-3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| erlang | erlang\/otp | r15b03 | |
References
- http://advisories.mageia.org/MGASA-2014-0553.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145017.html
- http://seclists.org/oss-sec/2014/q1/163
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:174
- https://bugzilla.redhat.com/show_bug.cgi?id=1059331
- https://usn.ubuntu.com/3571-1/
- https://security-tracker.debian.org/tracker/CVE-2014-1693
Verify integrity in audit chain (admin only). AS-IS.