Home > Vulnerability Database > CVE-2021-37533

Mend.io Vulnerability Database

CVE-2021-37533

Good to know:

Date: December 2, 2022

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Language: Java

Severity Score

6.5

Related Resources (10)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-37533

Url: https://www.debian.org/security/2022/dsa-5307

Url: https://access.redhat.com/security/cve/CVE-2021-37533

Url: https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html

Url: https://github.com/apache/commons-net

Url: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7

Url: http://www.openwall.com/lists/oss-security/2022/12/03/1

Url: https://github.com/apache/commons-net/commit/4fe1bae56e53f32756b1ca3296f3dd2c45e3e060

Url: https://issues.apache.org/jira/browse/NET-711

Url: https://www.mend.io/vulnerability-database/CVE-2021-37533

Severity Score

6.5

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version commons-net:commons-net:3.9.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2021-37533

Good to know:

Date: December 2, 2022

Language: Java

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?