CVE-2017-12170

EUVD-2017-3746
Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vulnerable to packaging error due to which the original configuration was ignored after update and service started running with default configuration. This has security implications because of overriding security-related configuration. This issue doesn't affect upstream version of pure-ftpd.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
pureftpdpure-ftpd
1.0.46-1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pure-ftpd
bookworm
1.0.50-2.1
fixed
bullseye
1.0.49-4.1
fixed
sid
1.0.50-2.2
fixed
trixie
1.0.50-2.2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pure-ftpd
trusty
dne
xenial
not-affected
zesty
not-affected
References
https://bugzilla.redhat.com/show_bug.cgi?id=1493114
https://bugzilla.redhat.com/show_bug.cgi?id=1493114