Vulnerability CVE-2017-7418: Information

Description

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

Severity: MEDIUM (5.5) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-7418
Published: April 4, 2017
Modified: Aug. 8, 2019
Error type identifier: CWE-59

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
proftpdsisyphus1.3.5-alt4.rel.e1.3.8-alt0.2.ga3489a6c8ALT-PU-2018-1000-1197729Fixed
proftpdsisyphus_e2k1.3.7-alt0.1.c1.3.8-alt0.2.ga3489a6c8ALT-PU-2022-3450-1-Fixed
proftpdsisyphus_riscv641.3.7-alt0.1.c1.3.8-alt0.2.ga3489a6c8ALT-PU-2022-3482-1-Fixed
proftpdp101.3.5-alt4.rel.e1.3.6-alt0.4.ga73dbfe3bALT-PU-2018-1000-1197729Fixed
proftpdp91.3.5-alt4.rel.e1.3.6-alt0.4.ga73dbfe3bALT-PU-2018-1000-1197729Fixed
proftpdp81.3.6-alt0.1.ga73dbfe3b1.3.6-alt0.1.ga73dbfe3bALT-PU-2019-2667-1237142Fixed
proftpdc10f11.3.5-alt4.rel.e1.3.6-alt0.4.ga73dbfe3bALT-PU-2018-1000-1197729Fixed
proftpdc9f21.3.8-alt0.2.ga3489a6c81.3.8-alt0.2.ga3489a6c8ALT-PU-2023-5874-2329854Fixed
proftpdp111.3.5-alt4.rel.e1.3.8-alt0.2.ga3489a6c8ALT-PU-2018-1000-1197729Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8
  • Issue Tracking
  • Patch
  • Third Party Advisory
https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f
  • Issue Tracking
  • Patch
  • Third Party Advisory
https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed
  • Issue Tracking
  • Patch
  • Third Party Advisory
http://bugs.proftpd.org/show_bug.cgi?id=4295
  • Issue Tracking
  • Patch
97409
  • Third Party Advisory
  • VDB Entry
openSUSE-SU-2019:1836
    openSUSE-SU-2019:1870
      openSUSE-SU-2020:0031

          1. Configuration 1

            cpe:2.3:a:proftpd:proftpd:1.3.6:*:*:*:*:*:*:*
            cpe:2.3:a:proftpd:proftpd:1.3.6:rc3:*:*:*:*:*:*
            cpe:2.3:a:proftpd:proftpd:1.3.6:rc2:*:*:*:*:*:*
            cpe:2.3:a:proftpd:proftpd:1.3.6:rc1:*:*:*:*:*:*
            cpe:2.3:a:proftpd:proftpd:*:d:*:*:*:*:*:*
            End including
            1.3.5
            cpe:2.3:a:proftpd:proftpd:1.3.6:rc4:*:*:*:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.3
        Back to top