Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2017-7418

Опубликовано: 04 апр. 2017
Источник: nvd
CVSS3: 5.5
CVSS2: 2.1
EPSS Низкий

Описание

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:proftpd:proftpd:*:d:*:*:*:*:*:*
Версия до 1.3.5 (включая)
cpe:2.3:a:proftpd:proftpd:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.6:rc1:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.6:rc2:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.6:rc3:*:*:*:*:*:*
cpe:2.3:a:proftpd:proftpd:1.3.6:rc4:*:*:*:*:*:*

EPSS

Процентиль: 20%
0.00065
Низкий

5.5 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-59

Связанные уязвимости

ubuntu логотип

CVE-2017-7418

CVSS3: 5.5
ubuntu
почти 9 лет назад

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

debian логотип

CVE-2017-7418

CVSS3: 5.5
debian
почти 9 лет назад

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the h ...

suse-cvrf логотип

openSUSE-SU-2017:1035-1

suse-cvrf
почти 9 лет назад

Security update for proftpd

github логотип

GHSA-mq6p-g6qc-37c9

CVSS3: 5.5
github
больше 3 лет назад

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

suse-cvrf логотип

openSUSE-SU-2019:1836-1

suse-cvrf
больше 6 лет назад

Security update for proftpd

EPSS

Процентиль: 20%
0.00065
Низкий

5.5 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-59