Local Access Vulnerability in ProFTPD FTP Server by ProFTPD Project
CVE-2017-7418

5.5MEDIUM

Key Information:

Vendor

Proftpd

Status
Proftpd
Vendor
CVE Published:
4 April 2017

What is CVE-2017-7418?

The ProFTPD FTP server versions prior to 1.3.5e and 1.3.6 before 1.3.6rc5 contain a vulnerability allowing local users to exploit the configuration option AllowChrootSymlinks. This vulnerability arises because ProFTPD only verifies the last component of a given path when enforcing this option. A malicious actor with limited access can circumvent these restrictions by substituting intermediate path elements with symbolic links, leading to unauthorized access within the filesystem. Attackers may leverage this flaw to gain inappropriate access to files and directories, potentially compromising sensitive data.

References

https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f3...
x_refsource_CONFIRM
https://github.com/proftpd/proftpd/commit/f59593e6ff730b8...
x_refsource_CONFIRM
http://bugs.proftpd.org/show_bug.cgi?id=4295
x_refsource_CONFIRM

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.