cbcvebase.
CVE-2021-40524
published 2021-09-05

CVE-2021-40524: In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to…

PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
4.29%
89.9th percentile
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)

Affected

5 ranges
VendorProductVersion rangeFixed in
debianpure-ftpd< pure-ftpd 1.0.50-1 (bookworm)pure-ftpd 1.0.50-1 (bookworm)
pureftpdpure-ftpd>= 0 < 1.0.49-4.1+deb11u11.0.49-4.1+deb11u1
pureftpdpure-ftpd>= 0 < 1.0.50-11.0.50-1
pureftpdpure-ftpd>= 0 < 1.0.50-11.0.50-1
pureftpdpure-ftpd>= 1.0.23 < 1.0.501.0.50

Detection & IOCsextracted from sources · hover to see the quote

sigma
regex: Pure-FTPd ([0-9.]+)
  • Detect vulnerable Pure-FTPd versions by extracting the version string from banner/response and flagging versions 1.0.23 through 1.0.49 inclusive.
  • A nuclei-style version extractor template targets Pure-FTPd version strings via regex match on the server banner to identify affected versions.
  • ·The vulnerability only affects Pure-FTPd versions 1.0.23 through 1.0.49; version 1.0.50 and later are not affected.
  • ·The flaw is in the max_filesize quota enforcement logic (a greater-than-zero check that does not handle an initial -1 value), meaning exploitation requires the ability to upload files — scope is local/authenticated.
  • ·Debian fixed this in specific package versions per release: bookworm/sid/trixie fixed in 1.0.50-1; bullseye fixed in 1.0.49-4.1+deb11u1.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.