Main Vulnerability Database Vulnerabilities #VU38215

Input validation error in Pure-FTPd - CVE-2017-12170

Published: September 21, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38215

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-12170

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PureFTPd.org

Affected software:
Pure-FTPd

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vulnerable to packaging error due to which the original configuration was ignored after update and service started running with default configuration. This has security implications because of overriding security-related configuration. This issue doesn't affect upstream version of pure-ftpd.

How to mitigate CVE-2017-12170

Install update from vendor's website.

Sources

https://bugzilla.redhat.com/show_bug.cgi?id=1493114

Input validation error in Pure-FTPd - CVE-2017-12170

Detailed vulnerability description

How to mitigate CVE-2017-12170

Sources

Please verify you're human