CVE-2021-37533

EUVD-2022-7599
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Affected Products (NVD)
VendorProductVersion
apachecommons_net
𝑥
< 3.9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-net-java
bookworm
3.9.0-1
fixed
bullseye
3.6-1+deb11u1
fixed
bullseye (security)
3.6-1+deb11u1
fixed
sid
3.9.0-1
fixed
trixie
3.9.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcommons-net-java
bionic
Fixed 3.6-1+deb11u1build0.18.04.1
released
focal
Fixed 3.6-1+deb11u1build0.20.04.1
released
jammy
Fixed 3.6-1+deb11u1build0.22.04.1
released
kinetic
Fixed 3.6-1+deb11u1build0.22.10.1
released
lunar
not-affected
trusty
ignored
xenial
Fixed 3.4-2ubuntu2+esm1
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2022/12/03/1
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html
https://www.debian.org/security/2022/dsa-5307
http://www.openwall.com/lists/oss-security/2022/12/03/1
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html
https://www.debian.org/security/2022/dsa-5307