Unrated severityNVD Advisory· Published Apr 22, 2007· Updated Apr 23, 2026

CVE-2007-2165

Description

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.

Affected products

Proftpd/Proftpd
cpe:2.3:a:proftpd_project:proftpd:*:*:*:*:*:*:*:*
Range: <=1.3.0_rc1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.proftpd.org/show_bug.cginvdPatch
bugs.debian.org/cgi-bin/bugreport.cginvdVendor Advisory
secunia.com/advisories/24867nvdVendor Advisory
securitytracker.com/idnvdVendor Advisory
osvdb.org/34602nvd
secunia.com/advisories/25724nvd
secunia.com/advisories/27516nvd
www.mandriva.com/security/advisoriesnvd
www.securityfocus.com/bid/23546nvd
www.vupen.com/english/advisories/2007/1444nvd
bugzilla.redhat.com/show_bug.cginvd
exchange.xforce.ibmcloud.com/vulnerabilities/33733nvd
www.redhat.com/archives/fedora-package-announce/2007-November/msg00065.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000