{"id":"CVE-2024-48651","details":"In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.","modified":"2026-04-16T00:08:13.358704963Z","published":"2024-11-29T05:15:05.963Z","related":["SUSE-SU-2025:1028-1","openSUSE-SU-2025:14636-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html"},{"type":"REPORT","url":"https://github.com/proftpd/proftpd/issues/1830"},{"type":"FIX","url":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/proftpd/proftpd","events":[{"introduced":"0"},{"fixed":"cec01cc0a2523453e5da5a486bc6d977c3768db1"}]}],"versions":["v1.3.6","v1.3.6rc1","v1.3.6rc2","v1.3.6rc3","v1.3.6rc4","v1.3.7","v1.3.7rc1","v1.3.7rc2","v1.3.7rc3","v1.3.7rc4","v1.3.8","v1.3.8rc1","v1.3.8rc2","v1.3.8rc3","v1.3.8rc4","v1.3.9rc1","v1.3.9rc2"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["241826480125719508170331703112517546782","83038903423867946056526867307522736168","329242786179123763484665696963553920530","136598311252058349769192104775603423345","4289333976649283761296570363669672240","214097130631858452644417131628581964209","135993045477909499629858457941540788582","233664117571097207714333893254907167263","42662693253802801550936790773518592054","254847784116696712838160626074616474854","24647064842941430170908643336696081462","320084414010630237395206390352537366100","236878984579876450464159951347386418163","163811401541803634792216492889654514554","260818850143139079995934862484232771182","77905896671089196448889247168445624854","121149393972726395558091033446130653824","54500582070541384263967646210336262735","131728512189978376222418837695839594361","316802008808663806618127403106554385075","243146828352849708218636746920617873646"],"threshold":0.9},"id":"CVE-2024-48651-06026400","signature_type":"Line","target":{"file":"src/auth.c"},"deprecated":false,"signature_version":"v1","source":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"},{"digest":{"threshold":0.9,"line_hashes":["56711568699791777063010077034350926923","244336609763366538744953431043328362254","121005404154955508441328300741457047693","233539956001220427180733958826712618910","314908408910608316195033920154335458915","250948074795593264913477840512256710153"]},"id":"CVE-2024-48651-75a7e17c","signature_type":"Line","target":{"file":"contrib/mod_sftp/auth.c"},"deprecated":false,"signature_version":"v1","source":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"},{"digest":{"function_hash":"187034407946730235899894532939015682716","length":19246},"id":"CVE-2024-48651-77b5f603","signature_type":"Function","target":{"file":"modules/mod_auth.c","function":"setup_env"},"deprecated":false,"signature_version":"v1","source":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"},{"digest":{"threshold":0.9,"line_hashes":["181464189053819092841469814985425621500","334872106466614068527349446077542405070","196032808652393326460944060646460829150","39578959533843600226953819164894945836","33720135756503817538998337696406887804","264462616318780923595180723788196630357","46140058366325920564606130846525933042","175582859461736681225681752098539060300","231728410306602372778186671967766588362","96541821314016273967809128432727004028"]},"id":"CVE-2024-48651-8a04e39f","signature_type":"Line","target":{"file":"modules/mod_auth.c"},"deprecated":false,"signature_version":"v1","source":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"},{"digest":{"function_hash":"153327724525144796053422275410370040632","length":8986},"id":"CVE-2024-48651-953eec8c","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"contrib/mod_sftp/auth.c","function":"setup_env"},"source":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"},{"digest":{"function_hash":"260082419041335454373305522463553736706","length":1517},"id":"CVE-2024-48651-997f0c07","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"src/auth.c","function":"pr_auth_getgroups"},"source":"https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-48651.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}