5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
5.2%
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home
directory of a user could contain a symbolic link through the
AllowChrootSymlinks configuration option, but checks only the last path
component when enforcing AllowChrootSymlinks. Attackers with local access
could bypass the AllowChrootSymlinks control by replacing a path component
(other than the last one) with a symbolic link. The threat model includes
an attacker who is not granted full filesystem access by a hosting
provider, but can reconfigure the home directory of an FTP user.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 16.04 | noarch | proftpd-dfsg | < any | UNKNOWN |
github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
launchpad.net/bugs/cve/CVE-2017-7418
nvd.nist.gov/vuln/detail/CVE-2017-7418
security-tracker.debian.org/tracker/CVE-2017-7418
www.cve.org/CVERecord?id=CVE-2017-7418
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
5.2%