CVE-2024-48651

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-48651
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48651.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-48651
Downstream
Related
Published
2024-11-29T05:15:05Z
Modified
2025-09-19T15:04:48.074330Z
Summary
[none]
Details

In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.

References

Affected packages

Git / github.com/proftpd/proftpd

Affected ranges

Type
GIT
Repo
https://github.com/proftpd/proftpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cec01cc0a2523453e5da5a486bc6d977c3768db1

Affected versions

v1.*

v1.3.6
v1.3.6rc1
v1.3.6rc2
v1.3.6rc3
v1.3.6rc4
v1.3.7
v1.3.7rc1
v1.3.7rc2
v1.3.7rc3
v1.3.7rc4
v1.3.8
v1.3.8rc1
v1.3.8rc2
v1.3.8rc3
v1.3.8rc4
v1.3.9rc1
v1.3.9rc2

Database specific 

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
            "target": {
                "file": "src/auth.c"
            },
            "digest": {
                "line_hashes": [
                    "241826480125719508170331703112517546782",
                    "83038903423867946056526867307522736168",
                    "329242786179123763484665696963553920530",
                    "136598311252058349769192104775603423345",
                    "4289333976649283761296570363669672240",
                    "214097130631858452644417131628581964209",
                    "135993045477909499629858457941540788582",
                    "233664117571097207714333893254907167263",
                    "42662693253802801550936790773518592054",
                    "254847784116696712838160626074616474854",
                    "24647064842941430170908643336696081462",
                    "320084414010630237395206390352537366100",
                    "236878984579876450464159951347386418163",
                    "163811401541803634792216492889654514554",
                    "260818850143139079995934862484232771182",
                    "77905896671089196448889247168445624854",
                    "121149393972726395558091033446130653824",
                    "54500582070541384263967646210336262735",
                    "131728512189978376222418837695839594361",
                    "316802008808663806618127403106554385075",
                    "243146828352849708218636746920617873646"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-48651-06026400",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
            "target": {
                "file": "contrib/mod_sftp/auth.c"
            },
            "digest": {
                "line_hashes": [
                    "56711568699791777063010077034350926923",
                    "244336609763366538744953431043328362254",
                    "121005404154955508441328300741457047693",
                    "233539956001220427180733958826712618910",
                    "314908408910608316195033920154335458915",
                    "250948074795593264913477840512256710153"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-48651-75a7e17c",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
            "target": {
                "function": "setup_env",
                "file": "modules/mod_auth.c"
            },
            "digest": {
                "function_hash": "187034407946730235899894532939015682716",
                "length": 19246.0
            },
            "id": "CVE-2024-48651-77b5f603",
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "deprecated": false,
            "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
            "target": {
                "file": "modules/mod_auth.c"
            },
            "digest": {
                "line_hashes": [
                    "181464189053819092841469814985425621500",
                    "334872106466614068527349446077542405070",
                    "196032808652393326460944060646460829150",
                    "39578959533843600226953819164894945836",
                    "33720135756503817538998337696406887804",
                    "264462616318780923595180723788196630357",
                    "46140058366325920564606130846525933042",
                    "175582859461736681225681752098539060300",
                    "231728410306602372778186671967766588362",
                    "96541821314016273967809128432727004028"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-48651-8a04e39f",
            "signature_version": "v1",
            "signature_type": "Line"
        },
        {
            "deprecated": false,
            "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
            "target": {
                "function": "setup_env",
                "file": "contrib/mod_sftp/auth.c"
            },
            "digest": {
                "function_hash": "153327724525144796053422275410370040632",
                "length": 8986.0
            },
            "id": "CVE-2024-48651-953eec8c",
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "deprecated": false,
            "source": "https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1",
            "target": {
                "function": "pr_auth_getgroups",
                "file": "src/auth.c"
            },
            "digest": {
                "function_hash": "260082419041335454373305522463553736706",
                "length": 1517.0
            },
            "id": "CVE-2024-48651-997f0c07",
            "signature_version": "v1",
            "signature_type": "Function"
        }
    ]
}