Following a critical report from Snyk, I have documented the findings in this issue.
@databricks/sql@1.13.0
CRLF Injection
↳ basic-ftp@5.2.0
Detailed paths
Introduced through: crm-databricks-integration@1.0.0 › @databricks/sql@1.13.0 › proxy-agent@6.5.0 › pac-proxy-agent@7.2.0 › get-uri@6.0.5 › basic-ftp@5.2.0
Fix: Your dependencies are out of date, otherwise you would be using a newer basic-ftp than basic-ftp@5.2.0. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 9.3 - Critical Severity | CVSS v3.1 9.8 - Critical Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript.
Affected versions of this package are vulnerable to CRLF Injection via unsanitized path parameters in the protectWhitespace function. An attacker can execute arbitrary FTP commands by injecting CRLF sequences into file path inputs, which are then interpreted as separate commands by the FTP server. This can lead to unauthorized file deletion, directory manipulation, file exfiltration, command execution on supporting servers, session hijacking, or service disruption.
Following a critical report from Snyk, I have documented the findings in this issue.
@databricks/sql@1.13.0
CRLF Injection
↳ basic-ftp@5.2.0
Detailed paths
Introduced through: crm-databricks-integration@1.0.0 › @databricks/sql@1.13.0 › proxy-agent@6.5.0 › pac-proxy-agent@7.2.0 › get-uri@6.0.5 › basic-ftp@5.2.0
Fix: Your dependencies are out of date, otherwise you would be using a newer basic-ftp than basic-ftp@5.2.0. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 9.3 - Critical Severity | CVSS v3.1 9.8 - Critical Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript.
Affected versions of this package are vulnerable to CRLF Injection via unsanitized path parameters in the protectWhitespace function. An attacker can execute arbitrary FTP commands by injecting CRLF sequences into file path inputs, which are then interpreted as separate commands by the FTP server. This can lead to unauthorized file deletion, directory manipulation, file exfiltration, command execution on supporting servers, session hijacking, or service disruption.