CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
VendorProductVersion
pythonpython
3.6.0 ≤
𝑥
< 3.6.14
pythonpython
3.7.0 ≤
𝑥
< 3.7.11
pythonpython
3.8.0 ≤
𝑥
< 3.8.9
pythonpython
3.9.0 ≤
𝑥
< 3.9.3
pythonpython
3.10.0
debiandebian_linux
10.0
debiandebian_linux
11.0
redhatsoftware_collections
-
redhatenterprise_linux
8.0
netappontap_select_deploy_administration_utility
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bullseye (security)
vulnerable
bullseye
no-dsa
stretch
no-dsa
buster
no-dsa
bookworm
7.3.11+dfsg-2+deb12u2
fixed
sid
7.3.17+dfsg-2
fixed
trixie
7.3.17+dfsg-2
fixed
python2.7
bullseye
vulnerable
stretch
no-dsa
buster
no-dsa
python3.9
bullseye
vulnerable
stretch
no-dsa
buster
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
noble
dne
mantic
dne
lunar
dne
kinetic
ignored
jammy
Fixed 2.7.18-13ubuntu1.2+esm1
released
impish
ignored
hirsute
ignored
focal
Fixed 2.7.18-1~20.04.4+esm1
released
bionic
Fixed 2.7.17-1~18.04ubuntu1.7
released
xenial
Fixed 2.7.12-1ubuntu0~16.04.18+esm1
released
trusty
Fixed 2.7.6-8ubuntu0.6+esm12
released
python3.10
noble
dne
mantic
dne
lunar
dne
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
ignored
focal
dne
bionic
dne
xenial
dne
trusty
dne
python3.4
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
dne
xenial
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm12
released
python3.5
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm2
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1
released
python3.6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.7
released
xenial
dne
trusty
dne
python3.7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
dne
bionic
Fixed 3.7.5-2ubuntu1~18.04.2+esm3
released
xenial
dne
trusty
dne
python3.8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
focal
not-affected
bionic
Fixed 3.8.0-3ubuntu1~18.04.2+esm2
released
xenial
dne
trusty
dne
python3.9
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
not-affected
hirsute
ignored
focal
not-affected
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2021-4189
https://bugs.python.org/issue43285
https://bugzilla.redhat.com/show_bug.cgi?id=2036020
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://python-security.readthedocs.io/vuln/ftplib-pasv.html
https://security-tracker.debian.org/tracker/CVE-2021-4189
https://security.netapp.com/advisory/ntap-20221104-0004/
https://access.redhat.com/security/cve/CVE-2021-4189
https://bugs.python.org/issue43285
https://bugzilla.redhat.com/show_bug.cgi?id=2036020
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://python-security.readthedocs.io/vuln/ftplib-pasv.html
https://security-tracker.debian.org/tracker/CVE-2021-4189
https://security.netapp.com/advisory/ntap-20221104-0004/