CVE-2024-48651

Publication date 29 November 2024

Last updated 26 February 2025

Ubuntu priority

In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
proftpd-dfsg	25.04 plucky	Vulnerable
	24.10 oracular	Fixed 1.3.8.b+dfsg-2ubuntu1.24.10.1
	24.04 LTS noble	Fixed 1.3.8.b+dfsg-1ubuntu0.1
	22.04 LTS jammy	Fixed 1.3.7c+dfsg-1ubuntu0.1
	20.04 LTS focal	Fixed 1.3.6c-2ubuntu0.1
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

How can I get the fixes?
What do statuses mean?

Notes

eslerm

not introduced until v1.3.7 with 678696c8db9fb8e33d444be8f59ea88b419b13ae

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7297-1
ProFTPD vulnerabilities
25 February 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2024-48651
https://github.com/proftpd/proftpd/issues/1830
https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1