CVE-2017-7418

NONE EPSS 33.6%
Published Apr 4, 20179y ago · Modified Jun 17, 20262w ago
Find Similar
Published Apr 4, 2017 9y ago
Last Modified Jun 17, 2026 2w ago

Description

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

Threat Intelligence

EPSS Exploit Probability
33.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-59

Affected Products 6

VendorProductVersionRange
proftpdproftpd* ≤1.3.5
proftpdproftpd1.3.6any
proftpdproftpd1.3.6any
proftpdproftpd1.3.6any
proftpdproftpd1.3.6any
proftpdproftpd1.3.6any

References 8

  • bugs.proftpd.org http://bugs.proftpd.org/show_bug.cgi?id=4295
    Issue TrackingPatch
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
  • securityfocus.com http://www.securityfocus.com/bid/97409
    Third Party AdvisoryVDB Entry
  • github.com https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
    Issue TrackingPatchThird Party Advisory
  • github.com https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
    Issue TrackingPatchThird Party Advisory
  • github.com https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
    Issue TrackingPatchThird Party Advisory

Remediation

  • bugs.proftpd.org http://bugs.proftpd.org/show_bug.cgi?id=4295
    Issue TrackingPatch
  • github.com https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
    Issue TrackingPatchThird Party Advisory
  • github.com https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
    Issue TrackingPatchThird Party Advisory
  • github.com https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
    Issue TrackingPatchThird Party Advisory