CVE-2021-37533
CVSS V2 None
CVSS V3 None
Description
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
Overview
- CVE ID
- CVE-2021-37533
- Assigner
- security@apache.org
- Vulnerability Status
- Analyzed
- Published Version
- 2022-12-03T15:15:09
- Last Modified Date
- 2023-01-10T19:29:09
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:apache:commons_net:*:*:*:*:*:*:*:* | 1 | OR | 3.9.0 |
References
Reference URL | Reference Tags |
---|---|
http://www.openwall.com/lists/oss-security/2022/12/03/1 | Issue Tracking Mailing List Third Party Advisory |
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 | Issue Tracking Mailing List Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html | |
https://www.debian.org/security/2022/dsa-5307 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-37533 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37533 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-12-07 18:06:18 | Added to TrackCVE | |||
2022-12-30 00:15:59 | 2022-12-03T15:15:09.747 | 2022-12-03T15:15:09 | CVE Published Date | updated |
2022-12-30 00:15:59 | 2022-12-29T23:15:09 | CVE Modified Date | updated | |
2022-12-30 00:15:59 | Analyzed | Modified | Vulnerability Status | updated |
2022-12-30 00:15:59 | References | updated | ||
2022-12-30 05:14:08 | 2022-12-30T04:15:08 | CVE Modified Date | updated | |
2022-12-30 05:14:08 | References | updated | ||
2022-12-30 15:14:36 | Modified | Undergoing Analysis | Vulnerability Status | updated |
2023-01-10 20:25:44 | 2023-01-10T19:29:09 | CVE Modified Date | updated | |
2023-01-10 20:25:44 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |