CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

History

30 Jun 2023, 23:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html -

24 May 2023, 21:15

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html -
References (CONFIRM) https://security.netapp.com/advisory/ntap-20221104-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20221104-0004/ - Third Party Advisory

04 Nov 2022, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20221104-0004/ -
References (MISC) https://bugs.python.org/issue43285 - (MISC) https://bugs.python.org/issue43285 - Patch, Vendor Advisory
References (MISC) https://access.redhat.com/security/cve/CVE-2021-4189 - (MISC) https://access.redhat.com/security/cve/CVE-2021-4189 - Third Party Advisory
References (MISC) https://python-security.readthedocs.io/vuln/ftplib-pasv.html - (MISC) https://python-security.readthedocs.io/vuln/ftplib-pasv.html - Patch, Third Party Advisory
References (MISC) https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e - (MISC) https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e - Patch, Third Party Advisory
References (MISC) https://security-tracker.debian.org/tracker/CVE-2021-4189 - (MISC) https://security-tracker.debian.org/tracker/CVE-2021-4189 - Third Party Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2036020 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2036020 - Issue Tracking, Patch, Third Party Advisory
CPE cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
CWE CWE-252

24 Aug 2022, 16:24

Type Values Removed Values Added
New CVE

Information

Published : 2022-08-24 16:15

Updated : 2024-02-04 22:51


NVD link : CVE-2021-4189

Mitre link : CVE-2021-4189

CVE.ORG link : CVE-2021-4189


JSON object : View

Products Affected

redhat

  • enterprise_linux
  • software_collections

python

  • python

netapp

  • ontap_select_deploy_administration_utility

debian

  • debian_linux
CWE
CWE-252

Unchecked Return Value