CVE-2024-48651
published 2024-11-29CVE-2024-48651: In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from…
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.20%
80.3th percentile
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | proftpd-dfsg | < proftpd-dfsg 1.3.8+dfsg-4+deb12u4 (bookworm) | proftpd-dfsg 1.3.8+dfsg-4+deb12u4 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Banner-grab on TCP/21 and extract ProFTPD version string; flag any response advertising ProFTPD <= 1.3.8b as vulnerable to GID 0 privilege escalation via mod_sql. ↗
- →Use the regex `ProFTPD ([0-9.a-z]+)` against the FTP banner to extract the version number for comparison. ↗
- →Authenticated FTP sessions on a vulnerable ProFTPD instance using mod_sql should be monitored for unexpected access to GID 0 resources, indicating supplemental group inheritance abuse. ↗
- →On Debian/Ubuntu systems, check installed proftpd-dfsg package version; bookworm must be >= 1.3.8+dfsg-4+deb12u4, bullseye >= 1.3.7a+dfsg-12+deb11u3, and trixie/sid/forky >= 1.3.8.b+dfsg-4. ↗
- ·The vulnerability is only exploitable when the mod_sql module is loaded and in use; deployments not using mod_sql for authentication/group lookups are not affected by this specific GID 0 inheritance path. ↗
- ·The fix is tied to a specific commit (cec01cc); source builds must be verified to include this commit, not just a version number check, as the version string '1.3.8b' alone does not distinguish patched from unpatched builds. ↗
- ·The Nuclei template probe sends a 4-byte null hex payload (`00000000`) to TCP/21 purely to elicit a banner; this is a passive/version-check detection and does not confirm active exploitation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ProFTPD vulnerabilities
osv·2025-02-25·CVSS 5.9
CVE-2023-48795 [MEDIUM] ProFTPD vulnerabilities
ProFTPD vulnerabilities
Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that the
transport protocol implementation in ProFTPD had weak integrity checks.
An attacker could use this vulnerability to bypass security features
like encryption and integrity checks. (CVE-2023-48795)
Martin Mirchev discovered that ProFTPD did not properly validate user
input over the network. An attacker could use this vulnerability to
crash ProFTPD or execute arbitrary code. (CVE-2023-51713)
Brian Ristuccia discovered that ProFTPD incorrectly inherited groups
from the parent process. An attacker could use this vulnerability to
elevate privileges. (CVE-2024-48651)
OSV
CVE-2024-48651: In ProFTPD through 1
osv·2024-11-29·CVSS 7.5
CVE-2024-48651 [HIGH] CVE-2024-48651: In ProFTPD through 1
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.
GHSA
GHSA-mw3w-3jx9-mhff: In ProFTPD through 1
ghsa_unreviewed·2024-11-29
CVE-2024-48651 [HIGH] CWE-863 GHSA-mw3w-3jx9-mhff: In ProFTPD through 1
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.
Ubuntu
ProFTPD vulnerabilities
vendor_ubuntu·2025-02-25·CVSS 5.9
CVE-2023-48795 [MEDIUM] ProFTPD vulnerabilities
Title: ProFTPD vulnerabilities
Summary: Several security issues were fixed in proftpd-dfsg.
Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that the
transport protocol implementation in ProFTPD had weak integrity checks.
An attacker could use this vulnerability to bypass security features
like encryption and integrity checks. (CVE-2023-48795)
Martin Mirchev discovered that ProFTPD did not properly validate user
input over the network. An attacker could use this vulnerability to
crash ProFTPD or execute arbitrary code. (CVE-2023-51713)
Brian Ristuccia discovered that ProFTPD incorrectly inherited groups
from the parent process. An attacker could use this vulnerability to
elevate privileges. (CVE-2024-48651)
Instructions: In general, a standard system update will make all t
Debian
CVE-2024-48651: proftpd-dfsg - In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants ...
vendor_debian·2024·CVSS 7.5
CVE-2024-48651 [HIGH] CVE-2024-48651: proftpd-dfsg - In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants ...
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.
Scope: local
bookworm: resolved (fixed in 1.3.8+dfsg-4+deb12u4)
bullseye: resolved (fixed in 1.3.7a+dfsg-12+deb11u3)
forky: resolved (fixed in 1.3.8.b+dfsg-4)
sid: resolved (fixed in 1.3.8.b+dfsg-4)
trixie: resolved (fixed in 1.3.8.b+dfsg-4)
No detection rules found.
Nuclei
ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql
nuclei·CVSS 7.5
CVE-2024-48651 [HIGH] ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql
ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql
ProFTPD versions through 1.3.8b (before commit cec01cc) contain a vulnerability in the mod_sql module due to improper handling of supplemental groups. This flaw allows authenticated users without explicitly assigned supplemental groups to inherit root group privileges (GID 0), potentially granting unauthorized access to sensitive system resources.
Template:
id: CVE-2024-48651
info:
name: ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql
author: pussycat0x
severity: high
description: |
ProFTPD versions through 1.3.8b (before commit cec01cc) contain a vulnerability in the mod_sql module due to improper handling of supplemental groups. This flaw allows authenticated users without explicitly assigned supplemental groups to inherit root
2024-11-29
Published