CVE-2022-2560: CompleteFTP Directory Traversal Arbitrary File Deletion Flaw
A high EnterpriseDT CompleteFTP vulnerability (CVE-2022-2560), which was discovered by rgod on Jun 7, 2022, just goes public today on the Zero Day Initiative (ZDI) website. Zero Day Initiative is a program for rewarding security researchers for responsibly disclosing vulnerabilities.
CompleteFTP is a proprietary FTP and SFTP server for Windows that supports FTP, FTPS, SFTP, SCP, HTTP, and HTTPS. It is easy to install, has a powerful set of features, and is a highly customizable SFTP server for Windows. Best of all, you get all the features of our most expensive competitors for a better price.
According to the ZDI Security Advisory, the vulnerability is a directory traversal arbitrary file deletion flaw that affects the version prior to 22.1.1 and allows a remote attacker to delete arbitrary files on affected installations of the EnterpriseDT CompleteFTP server.
The flaw tracked as CVE-2022-2560 (CVSS score 8.2), exists in the HttpFile class that results from the lack of proper validation of a user-supplied path prior to using it in file operations.
“The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM,” a security advisory explains