CVE-2021-37533

Apache Commons Net's FTP client trusts the host from PASV response by default

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Antes de Apache Commons Net 3.9.0, el cliente FTP de Net confía en el host desde la respuesta PASV de forma predeterminada. Un servidor malicioso puede redirigir el código de Commons Net para utilizar un host diferente, pero el usuario debe conectarse al servidor malicioso en primer lugar. Esto puede provocar una fuga de información sobre los servicios que se ejecutan en la red privada del cliente. El valor predeterminado en la versión 3.9.0 ahora es falso para ignorar dichos hosts, como lo hace cURL. Consulte https://issues.apache.org/jira/browse/NET-711.

A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.

*Credits: Apache Commons would like to thank ZeddYu Lu for reporting this issue.

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-07-26 CVE Reserved
2022-12-03 CVE Published
2024-06-25 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/12/03/1	Issue Tracking
https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7	2023-01-10
https://www.debian.org/security/2022/dsa-5307	2023-01-10
https://access.redhat.com/security/cve/CVE-2021-37533	2023-06-19
https://bugzilla.redhat.com/show_bug.cgi?id=2169924	2023-06-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Commons Net Search vendor "Apache" for product "Commons Net"				< 3.9.0 Search vendor "Apache" for product "Commons Net" and version " < 3.9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected