A vulnerability in the NetBSD FTP server allows unauthenticated users to execute MLST and MLSD commands without authentication. This can lead to information leakage - unauthorized party may be able to download the listing of the current ftpd(8) directory. This vulnerability has been assigned CVE-2023-45198.

Additionally, potential buffer overflow in count_users() and reading outside of allocated memory issues due to wrong struct type used in the pam_set_item() call have been identified.