CVE-2017-12170

Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vulnerable to packaging error due to which the original configuration was ignored after update and service started running with default configuration. This has security implications because of overriding security-related configuration. This issue doesn't affect upstream version of pure-ftpd.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
pureftpdpure-ftpd
1.0.46-1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pure-ftpd
bullseye
1.0.49-4.1
fixed
bookworm
1.0.50-2.1
fixed
sid
1.0.50-2.2
fixed
trixie
1.0.50-2.2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pure-ftpd
zesty
not-affected
xenial
not-affected
trusty
dne
References
https://bugzilla.redhat.com/show_bug.cgi?id=1493114
https://bugzilla.redhat.com/show_bug.cgi?id=1493114