5.8

CVE-2021-31810

Exploit
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ruby-langRuby Version <= 2.6.7
   FedoraprojectFedora Version34
Ruby-langRuby Version >= 2.7.0 <= 2.7.3
   FedoraprojectFedora Version34
Ruby-langRuby Version >= 3.0.0 <= 3.0.1
   FedoraprojectFedora Version34
DebianDebian Linux Version9.0
OracleJd Edwards Enterpriseone Tools Version < 9.2.6.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.05% 0.858
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.8 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
https://security.gentoo.org/glsa/202401-27
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/
https://hackerone.com/reports/1145454
Patch
Third Party Advisory
Exploit
https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20210917-0001/
Third Party Advisory
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
Vendor Advisory