CVE-2007-2348

Publication date 27 April 2007

Last updated 24 July 2024

Ubuntu priority

mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
lftp	7.04 feisty	Ignored
	6.10 edgy	Ignored
	6.06 LTS dapper	Ignored

How can I get the fixes?
What do statuses mean?

Notes

kees

Already documented as dangerous, upstream is not fixing.

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2007-2348