Cyber Resilience

CVE-2024-48208

HighPublic PoC

Published: 24 October 2024

Published
24 October 2024
Modified
04 September 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.3857 97.3th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48208 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Pureftpd Pure-Ftpd. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Pure-ftpd versions prior to 1.0.52 contain an out-of-bounds read vulnerability in the domlsd() function within ls.c, classified as a buffer overflow under CWE-125. The flaw affects the FTP server's directory listing handling and carries a CVSS 3.1 score of 8.6, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can send crafted FTP commands to trigger the out-of-bounds read, resulting in limited disclosure and modification of data alongside a high impact on availability through potential crashes or service disruption.

The referenced GitHub pull request #176 addresses the issue in the 1.0.52 release. The EPSS score has reached a peak of 0.4366 with a current value of 0.3857, indicating sustained moderate exploitation interest following disclosure.

EU & UK References

Vulnerability details

pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pureftpd
pure-ftpd
≤ 1.0.52

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References