CVE-2024-46483
Published: 22 October 2024
Summary
CVE-2024-46483 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Xlight FTP Server versions prior to 3.9.4.3 contain an integer overflow vulnerability in the packet parsing logic of the SFTP server component. The flaw, tracked as CWE-190, can be triggered during handling of crafted SFTP packets and results in a heap overflow that permits attacker-controlled data to be written beyond allocated bounds.
The issue is remotely exploitable over the network with no authentication or user interaction required. Successful exploitation can lead to arbitrary code execution or memory corruption, granting an attacker full control over confidentiality, integrity, and availability of the affected server as reflected in its CVSS 9.8 rating.
The single public reference is a GitHub repository that documents the vulnerability but provides no vendor advisory or patch details. The associated EPSS score has remained flat at 0.1389 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41857
Vulnerability details
Xlight FTP Server <3.9.4.3 has an integer overflow vulnerability in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.