cbcvebase.
CVE-2024-48651
published 2024-11-29

CVE-2024-48651: In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from…

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.20%
80.3th percentile
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.

Affected

1 ranges
VendorProductVersion rangeFixed in
debianproftpd-dfsg< proftpd-dfsg 1.3.8+dfsg-4+deb12u4 (bookworm)proftpd-dfsg 1.3.8+dfsg-4+deb12u4 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1
  • Banner-grab on TCP/21 and extract ProFTPD version string; flag any response advertising ProFTPD <= 1.3.8b as vulnerable to GID 0 privilege escalation via mod_sql.
  • Use the regex `ProFTPD ([0-9.a-z]+)` against the FTP banner to extract the version number for comparison.
  • Authenticated FTP sessions on a vulnerable ProFTPD instance using mod_sql should be monitored for unexpected access to GID 0 resources, indicating supplemental group inheritance abuse.
  • On Debian/Ubuntu systems, check installed proftpd-dfsg package version; bookworm must be >= 1.3.8+dfsg-4+deb12u4, bullseye >= 1.3.7a+dfsg-12+deb11u3, and trixie/sid/forky >= 1.3.8.b+dfsg-4.
  • ·The vulnerability is only exploitable when the mod_sql module is loaded and in use; deployments not using mod_sql for authentication/group lookups are not affected by this specific GID 0 inheritance path.
  • ·The fix is tied to a specific commit (cec01cc); source builds must be verified to include this commit, not just a version number check, as the version string '1.3.8b' alone does not distinguish patched from unpatched builds.
  • ·The Nuclei template probe sends a 4-byte null hex payload (`00000000`) to TCP/21 purely to elicit a banner; this is a passive/version-check detection and does not confirm active exploitation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.