cbcvebase.
CVE-2024-48208
published 2024-10-24

CVE-2024-48208: pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.

PriorityP355high8.6CVSS 3.1
AVNACLPRNUINSUCLILAH
EXPLOIT
EPSS
1.51%
71.3th percentile
pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianpure-ftpd
pureftpdpure-ftpd< 1.0.521.0.52

Detection & IOCsextracted from sources · hover to see the quote

otherproduct:"Pure-FTPd"
versionPure-FTPd < 1.0.52
yara
contains(raw, 'Pure-FTPd') AND compare_versions(version, '< 1.0.52')
  • Detect vulnerable Pure-FTPd banners by matching the version string from the FTP banner response against versions prior to 1.0.52 using the regex pattern 'Pure-FTPd ([0-9.]+)'.
  • Send a hex null-byte probe (00000000) to port 21 and inspect the raw response for the 'Pure-FTPd' banner string to fingerprint the service.
  • Use Shodan to identify exposed Pure-FTPd instances via the query product:"Pure-FTPd" for pre-scan reconnaissance.
  • The vulnerability is in the domlsd() function of ls.c; look for out-of-bounds read crashes or anomalous FTP LIST/MLSD command responses as a runtime indicator.
  • ·The Nuclei template uses a read-size of 1024 bytes; larger FTP banners or multi-line responses may be truncated, potentially causing false negatives during version extraction.
  • ·Debian distributions (bookworm, bullseye, sid, trixie) are listed as 'open' (unpatched) as of the advisory; scope is noted as 'local' in the Debian tracker, which may affect exploitability assessment in those environments.
  • ·The detection condition requires BOTH the 'Pure-FTPd' banner string AND a version below 1.0.52; if the banner omits the version number, the version comparator will not fire and the check will produce a false negative.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
osv8.6HIGH
vendor_debian8.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.