5.3

CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PythonPython Version >= 3.6.0 < 3.6.14
PythonPython Version >= 3.7.0 < 3.7.11
PythonPython Version >= 3.8.0 < 3.8.9
PythonPython Version >= 3.9.0 < 3.9.3
PythonPython Version3.10.0 Update-
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
RedhatEnterprise Linux Version8.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.51% 0.827
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-252 Unchecked Return Value

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://access.redhat.com/security/cve/CVE-2021-4189
Third Party Advisory
https://bugs.python.org/issue43285
Patch
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2036020
Patch
Third Party Advisory
Issue Tracking
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
Patch
Third Party Advisory
https://python-security.readthedocs.io/vuln/ftplib-pasv.html
Patch
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-4189
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221104-0004/
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html