Vulnerability DatabaseCVE-2021-40524

CVE-2021-40524:
Pure-FTPd vulnerability analysis and mitigation

Overview

In Pure-FTPd versions 1.0.23 through 1.0.49, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size. This vulnerability was discovered in September 2021 and assigned CVE-2021-40524. The issue occurs because a certain greater-than-zero test does not anticipate an initial -1 value (CVE Mitre).

Technical details

The vulnerability stems from a logic flaw in the quota checking mechanism where the predicate (maxfilesize >= (offt) 0 && (maxfilesize = userquotasize - quota.size) < (offt) 0) never evaluates to true because maxfilesize is initially set to -1. When max_filesize >= (offt) 0 evaluates to false, the subsequent predicate is not evaluated, leaving max_filesize at -1 indefinitely. This results in no overflow detection even when quotas are exceeded (GitHub PR).

Impact

The vulnerability may lead to denial of service or server hang conditions as attackers can upload files of unbounded size, potentially exhausting server resources (NVD).

Mitigation and workarounds

The vulnerability was fixed in Pure-FTPd version 1.0.50 with commit 37ad222. The fix involves correcting the predicate order to ensure proper quota checking by evaluating maxfilesize = userquota_size - quota.size first (GitHub Commit).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

7.5

Score

Published September 5, 2021

Severity HIGH

CNA Score N/A

Affected Technologies

Pure-FTPd

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 95.4

Exploitation Probability (EPSS) 21.1

Affected packages and libraries

pure-ftpd
cpe:2.3:a:pureftpd:pure-ftpd

Sources

Debian Security Tracker
- Debian 9, 10, 11 Severity MEDIUMNo FixAdded at: Mar 28, 2022
- Debian 12 Severity HIGHHas FixAdded at: Feb 21, 2022
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Oct 10, 2023
NVD
- Linux Severity HIGHHas FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Pure-FTPd vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2024-48208	HIGH	8.6	Pure-FTPd	cpe:2.3:a:pureftpd:pure-ftpd	No	Yes	Oct 24, 2024
CVE-2021-40524	HIGH	7.5	Pure-FTPd	pure-ftpd	No	Yes	Sep 05, 2021
CVE-2020-35359	HIGH	7.5	Pure-FTPd	pure-ftpd	No	Yes	Dec 26, 2020
CVE-2020-9274	HIGH	7.5	Pure-FTPd	pure-ftpd-debugsource	No	Yes	Feb 26, 2020
CVE-2020-9365	HIGH	7.5	Pure-FTPd	pure-ftpd-debugsource	No	Yes	Feb 24, 2020

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-40524: Pure-FTPd vulnerability analysis and mitigation