A critical vulnerability (CVE-2019-12815) has been identified in ProFTPd (a popular ftp-server). Operation allows you to copy files within the server without authentication using the "site cpfr" and "site cpto" commands, including on servers with anonymous access.
The vulnerability is caused by incorrect checking of access restrictions for reading and writing data (Limit READ and Limit WRITE) in the mod_copy module, which is used by default and is included in proftpd packages for most distributions.
Vulnerabilities affect all current versions in all distributions except Fedora. The fix is ββcurrently available as patch. As a temporary solution, it is recommended to disable mod_copy.
Source: linux.org.ru