CVE-2017-7418

Name: CVE-2017-7418
Creator: NVD / NIST
Published: 2017-04-04T17:59:00.337+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 0.42%

Last modified Jun 17, 2026

CVE-2017-7418 is a vulnerability of currently unknown severity. ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. EPSS estimates a 0.42% chance of exploitation in the next 30 days.

Description

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

Metrics

EPSS Probability

0.42%

33.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-59

Affected Software

Vendor	Product	Versions	Update
Proftpd	Proftpd	<= 1.3.5	D
Proftpd	Proftpd	1.3.6	—

References

http://bugs.proftpd.org/show_bug.cgi?id=4295Issue Tracking, Patch
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
http://www.securityfocus.com/bid/97409Third Party Advisory, VDB Entry
https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4edIssue Tracking, Patch, Third Party Advisory
https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579fIssue Tracking, Patch, Third Party Advisory
https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8Issue Tracking, Patch, Third Party Advisory
http://bugs.proftpd.org/show_bug.cgi?id=4295Issue Tracking, Patch
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html
http://www.securityfocus.com/bid/97409Third Party Advisory, VDB Entry
https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4edIssue Tracking, Patch, Third Party Advisory
https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579fIssue Tracking, Patch, Third Party Advisory
https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8Issue Tracking, Patch, Third Party Advisory

Timeline

Published: Apr 4, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-7418?

How severe is CVE-2017-7418?

Severity scoring for CVE-2017-7418 is pending analysis. The EPSS model estimates a 0.42% probability of exploitation in the next 30 days.

How do I fix CVE-2017-7418?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-7418?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST