CVE-2021-37533

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
apachecommons_net
𝑥
< 3.9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-net-java
bullseye
3.6-1+deb11u1
fixed
bullseye (security)
3.6-1+deb11u1
fixed
sid
3.9.0-1
fixed
trixie
3.9.0-1
fixed
bookworm
3.9.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcommons-net-java
lunar
not-affected
kinetic
Fixed 3.6-1+deb11u1build0.22.10.1
released
jammy
Fixed 3.6-1+deb11u1build0.22.04.1
released
focal
Fixed 3.6-1+deb11u1build0.20.04.1
released
bionic
Fixed 3.6-1+deb11u1build0.18.04.1
released
xenial
Fixed 3.4-2ubuntu2+esm1
released
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2022/12/03/1
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html
https://www.debian.org/security/2022/dsa-5307
http://www.openwall.com/lists/oss-security/2022/12/03/1
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html
https://www.debian.org/security/2022/dsa-5307