CVE-2014-1693
Published: 8 December 2014
Multiple CRLF injection vulnerabilities in the FTP module in Erlang/OTP R15B03 allow context-dependent attackers to inject arbitrary FTP commands via CRLF sequences in the (1) user, (2) account, (3) cd, (4) ls, (5) nlist, (6) rename, (7) delete, (8) mkdir, (9) rmdir, (10) recv, (11) recv_bin, (12) recv_chunk_start, (13) send, (14) send_bin, (15) send_chunk_start, (16) append_chunk_start, (17) append, or (18) append_bin command.
Notes
| Author | Note |
|---|---|
| jdstrand | requires MITM between erlang system and ftp server or for the web server to not do input sanitization |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
erlang Launchpad, Ubuntu, Debian |
vivid |
Not vulnerable
(1:17.3-dfsg-3ubuntu1)
|
| artful |
Not vulnerable
(1:17.3-dfsg-3ubuntu1)
|
|
| lucid |
Ignored
(end of life)
|
|
| precise |
Ignored
(end of life)
|
|
| quantal |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Released
(1:16.b.3-dfsg-1ubuntu2.2)
|
|
| upstream |
Released
(1:16.b.3.1-dfsg-3,1:15.b.1-dfsg-4+deb7u1)
|
|
| utopic |
Not vulnerable
(1:17.1-dfsg-4ubuntu2)
|
|
| wily |
Not vulnerable
(1:17.3-dfsg-3ubuntu1)
|
|
| xenial |
Not vulnerable
(1:17.3-dfsg-3ubuntu1)
|
|
| yakkety |
Not vulnerable
(1:17.3-dfsg-3ubuntu1)
|
|
| zesty |
Not vulnerable
(1:17.3-dfsg-3ubuntu1)
|
|
|
Patches: upstream: https://github.com/erlang/otp/commit/6995e4764d2722ca315a68facd8777f3c8970db7 |
||
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1693
- http://www.openwall.com/lists/oss-security/2014/01/29/3
- http://www.openwall.com/lists/oss-security/2014/01/29
- http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html
- https://ubuntu.com/security/notices/USN-3571-1
- NVD
- Launchpad
- Debian