A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2021-4189 | Third Party Advisory |
https://bugs.python.org/issue43285 | Patch Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2036020 | Issue Tracking Patch Third Party Advisory |
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html | |
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html | |
https://python-security.readthedocs.io/vuln/ftplib-pasv.html | Patch Third Party Advisory |
https://security-tracker.debian.org/tracker/CVE-2021-4189 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20221104-0004/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
30 Jun 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
24 May 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Dec 2022, 03:57
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* | |
First Time |
Netapp ontap Select Deploy Administration Utility
Netapp |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20221104-0004/ - Third Party Advisory |
04 Nov 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Aug 2022, 13:31
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-252 | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:* cpe:2.3:a:python:python:*:*:*:*:*:*:*:* cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
First Time |
Python
Debian debian Linux Redhat software Collections Redhat Python python Debian Redhat enterprise Linux |
|
References | (MISC) https://bugs.python.org/issue43285 - Patch, Vendor Advisory | |
References | (MISC) https://access.redhat.com/security/cve/CVE-2021-4189 - Third Party Advisory | |
References | (MISC) https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e - Patch, Third Party Advisory | |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2036020 - Issue Tracking, Patch, Third Party Advisory | |
References | (MISC) https://python-security.readthedocs.io/vuln/ftplib-pasv.html - Patch, Third Party Advisory | |
References | (MISC) https://security-tracker.debian.org/tracker/CVE-2021-4189 - Third Party Advisory |
24 Aug 2022, 16:24
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-24 16:15
Updated : 2023-12-10 14:35
NVD link : CVE-2021-4189
Mitre link : CVE-2021-4189
CVE.ORG link : CVE-2021-4189
JSON object : View
Products Affected
debian
- debian_linux
redhat
- enterprise_linux
- software_collections
netapp
- ontap_select_deploy_administration_utility
python
- python
CWE
CWE-252
Unchecked Return Value