CVE-2022-2560: CompleteFTP Directory Traversal Arbitrary File Deletion Flaw

CVE-2022-2560

A high EnterpriseDT CompleteFTP vulnerability (CVE-2022-2560), which was discovered by rgod on Jun 7, 2022, just goes public today on the Zero Day Initiative (ZDI) website. Zero Day Initiative is a program for rewarding security researchers for responsibly disclosing vulnerabilities.

CVE-2022-2560

CompleteFTP is a proprietary FTP and SFTP server for Windows that supports FTP, FTPS, SFTP, SCP, HTTP, and HTTPS. It is easy to install, has a powerful set of features, and is a highly customizable SFTP server for Windows. Best of all, you get all the features of our most expensive competitors for a better price.

According to the ZDI Security Advisory, the vulnerability is a directory traversal arbitrary file deletion flaw that affects the version prior to 22.1.1 and allows a remote attacker to delete arbitrary files on affected installations of the EnterpriseDT CompleteFTP server.

The flaw tracked as CVE-2022-2560 (CVSS score 8.2), exists in the HttpFile class that results from the lack of proper validation of a user-supplied path prior to using it in file operations.

“The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM,” a security advisory explains

The vulnerability has been addressed by EnterpriseDT and CompleteFTP version 22.1.1 is available for this flaw, so CompleteFTP users need to upgrade CompleteFTP to the latest version as soon as possible.