CVE-2007-2348

Description

mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.

How to fix CVE-2007-2348

To remediate CVE-2007-2348, upgrade the affected package to a fixed version below.

• Debian/lftp—upgrade to 3.5.9-1 or later

Is CVE-2007-2348 being exploited?

Moderate — EPSS is 5.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 3.5.9-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-2348