CVE-2024-48651

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-48651
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48651.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-48651
Downstream
Related
Published
2024-11-29T05:15:05Z
Modified
2025-10-17T13:00:53.358583Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.

References

Affected packages

Git / github.com/proftpd/proftpd

Affected ranges

Type
GIT
Repo
https://github.com/proftpd/proftpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.3.6
v1.3.6rc1
v1.3.6rc2
v1.3.6rc3
v1.3.6rc4
v1.3.7
v1.3.7rc1
v1.3.7rc2
v1.3.7rc3
v1.3.7rc4
v1.3.8
v1.3.8rc1
v1.3.8rc2
v1.3.8rc3
v1.3.8rc4
v1.3.9rc1
v1.3.9rc2

Database specific

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "241826480125719508170331703112517546782",
                "83038903423867946056526867307522736168",
                "329242786179123763484665696963553920530",
                "136598311252058349769192104775603423345",
                "4289333976649283761296570363669672240",
                "214097130631858452644417131628581964209",
                "135993045477909499629858457941540788582",
                "233664117571097207714333893254907167263",
                "42662693253802801550936790773518592054",
                "254847784116696712838160626074616474854",
                "24647064842941430170908643336696081462",
                "320084414010630237395206390352537366100",
                "236878984579876450464159951347386418163",
                "163811401541803634792216492889654514554",
                "260818850143139079995934862484232771182",
                "77905896671089196448889247168445624854",
                "121149393972726395558091033446130653824",
                "54500582070541384263967646210336262735",
                "131728512189978376222418837695839594361",
                "316802008808663806618127403106554385075",
                "243146828352849708218636746920617873646"
            ]
        },
        "target": {
            "file": "src/auth.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
        "id": "CVE-2024-48651-06026400"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "56711568699791777063010077034350926923",
                "244336609763366538744953431043328362254",
                "121005404154955508441328300741457047693",
                "233539956001220427180733958826712618910",
                "314908408910608316195033920154335458915",
                "250948074795593264913477840512256710153"
            ]
        },
        "target": {
            "file": "contrib/mod_sftp/auth.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
        "id": "CVE-2024-48651-75a7e17c"
    },
    {
        "digest": {
            "length": 19246.0,
            "function_hash": "187034407946730235899894532939015682716"
        },
        "target": {
            "function": "setup_env",
            "file": "modules/mod_auth.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
        "id": "CVE-2024-48651-77b5f603"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "181464189053819092841469814985425621500",
                "334872106466614068527349446077542405070",
                "196032808652393326460944060646460829150",
                "39578959533843600226953819164894945836",
                "33720135756503817538998337696406887804",
                "264462616318780923595180723788196630357",
                "46140058366325920564606130846525933042",
                "175582859461736681225681752098539060300",
                "231728410306602372778186671967766588362",
                "96541821314016273967809128432727004028"
            ]
        },
        "target": {
            "file": "modules/mod_auth.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
        "id": "CVE-2024-48651-8a04e39f"
    },
    {
        "digest": {
            "length": 8986.0,
            "function_hash": "153327724525144796053422275410370040632"
        },
        "target": {
            "function": "setup_env",
            "file": "contrib/mod_sftp/auth.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
        "id": "CVE-2024-48651-953eec8c"
    },
    {
        "digest": {
            "length": 1517.0,
            "function_hash": "260082419041335454373305522463553736706"
        },
        "target": {
            "function": "pr_auth_getgroups",
            "file": "src/auth.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
        "id": "CVE-2024-48651-997f0c07"
    }
]