CVE-2024-48651 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 96%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
proftpd	proftpd	𝑥 ≤ 1.3.8b	ADP
proftpd	proftpd	𝑥 < cec01cc	ADP

Debian Releases

Debian Product

Codename

proftpd-dfsg

bookworm	1.3.8+dfsg-4+deb12u4 fixed
bookworm (security)	1.3.8+dfsg-4+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	1.3.7a+dfsg-12+deb11u5 fixed
forky	1.3.9~dfsg-4 fixed
sid	1.3.9~dfsg-4 fixed
trixie	1.3.8.c+dfsg-4+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

proftpd-dfsg

bionic	not-affected
focal	Fixed 1.3.6c-2ubuntu0.1 released
jammy	Fixed 1.3.7c+dfsg-1ubuntu0.1 released
noble	Fixed 1.3.8.b+dfsg-1ubuntu0.1 released
oracular	Fixed 1.3.8.b+dfsg-2ubuntu1.24.10.1 released
plucky	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/proftpd/proftpd/commit/cec01cc0a2523453e5da5a486bc6d977c3768db1

https://github.com/proftpd/proftpd/issues/1830

https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html