CVE-2017-12170
First published: Tue Sep 19 2017(Updated: )
Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vulnerable to packaging error due to which the original configuration was ignored after update and service started running with default configuration. This has security implications because of overriding security-related configuration. This issue doesn't affect upstream version of pure-ftpd.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pure-FTPd | =1.0.46-1 | |
| Fedora | =26 | |
| Fedora | =27 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-12170?
CVE-2017-12170 has a moderate severity due to allowing the service to run with insecure default configurations.
How do I fix CVE-2017-12170?
To fix CVE-2017-12170, update to a patched version of Pure-FTPd that addresses the packaging error.
Which versions of Fedora are affected by CVE-2017-12170?
Fedora versions 26 and 27 are affected by CVE-2017-12170.
What are the potential risks of CVE-2017-12170?
The potential risks include unauthorized access and exposure of sensitive data due to default configurations overriding user-defined security settings.
Is there a workaround for CVE-2017-12170?
A temporary workaround for CVE-2017-12170 is to manually reconfigure Pure-FTPd settings after an update.
- collector/redhat-bugzilla
- alias/CVE-2017-12170
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pureftpd
- canonical/pure-ftpd
- version/pure-ftpd/1.0.46-1
- vendor/fedoraproject
- canonical/fedora
- version/fedora/26
- version/fedora/27