{"id":"CVE-2009-5012","details":"ftpserver.py in pyftpdlib before 0.5.2 does not require the l permission for the MLST command, which allows remote authenticated users to bypass intended access restrictions and list the root directory via an FTP session.","aliases":["GHSA-h4g7-8m7r-87r9","PYSEC-2010-9"],"modified":"2026-04-10T03:41:03.606719Z","published":"2010-10-19T20:00:03Z","references":[{"type":"WEB","url":"http://code.google.com/p/pyftpdlib/issues/detail?id=114"},{"type":"WEB","url":"http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY"},{"type":"WEB","url":"http://code.google.com/p/pyftpdlib/source/detail?r=596"},{"type":"WEB","url":"http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py"}],"schema_version":"1.7.5"}