Address Validation Flaw in GNU Inetutils FTP Client
CVE-2021-40491

6.5MEDIUM

Key Information:

Vendor: Gnu
Status: Inetutils
Vendor: CVE Published:; 3 September 2021

Summary

The FTP client in GNU Inetutils prior to version 2.2 lacks adequate validation of addresses provided by PASV/LSPV responses. This oversight can lead to scenarios where the returned addresses do not align with the server address, potentially allowing for man-in-the-middle attacks or other network-related exploits, similar to vulnerabilities noted in other software like curl.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993476

https://git.savannah.gnu.org/cgit/inetutils.git/commit/?i...

https://lists.gnu.org/archive/html/bug-inetutils/2021-06/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2021
Vulnerability Reserved
Sep 3, 2021