CVE-2024-48651: 
ProFTPd vulnerability analysis and mitigation

CVE-2024-48651 affects ProFTPD versions through 1.3.8b (before commit cec01cc). The vulnerability involves supplemental group inheritance that incorrectly grants unintended access to GID 0 (root group) due to the lack of proper handling of supplemental groups from mod_sql (NVD, Security Online).

The vulnerability stems from improper handling of supplemental groups in ProFTPD's authentication process. When users don't have explicitly assigned supplemental groups, they inherit supplemental group memberships from the parent process, including GID 0 (root). This behavior was introduced after a fix for another issue (#808) which removed code that previously caused ProFTPD to overwrite its supplemental group membership when configured to run as non-root (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows authenticated users with no explicitly assigned supplemental groups to gain unauthorized access to files and directories owned by the root group. This represents a significant privilege escalation as affected users can access sensitive system resources that should be restricted (Security Online).

The vulnerability has been fixed in ProFTPD with commit cec01cc, which implements proper handling of supplemental groups. When no supplemental groups are provided, the system now defaults to using the process primary GID as the supplemental group, preventing unintended access escalation. System administrators are strongly advised to update their ProFTPD installations to a version containing this fix (GitHub Commit).