DEBIAN-CVE-2017-7418

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2017-7418

Published: 04 Apr 2017, 17:59

Last modified:28 Apr 2026, 20:17

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.5 MEDIUM

3.0 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Apr 2017, 17:59

Published

Vulnerability first disclosed

28 Apr 2026, 20:17

Last Modified

Vulnerability information updated

Description

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

CVSS Metrics

v3.0•MEDIUM•Score: 5.5CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected Systems

debian•proftpd-dfsg
< 1.3.5b-4 | < 1.3.5b-4 | < 1.3.5b-4 | < 1.3.5b-4

References (1)

https://security-tracker.debian.org/tracker/CVE-2017-7418