CVE-2021-40491

6.5MEDIUM

Key Information:

Vendor: Gnu
Status: Inetutils
Vendor: CVE Published:; 3 September 2021

Summary

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993476

https://git.savannah.gnu.org/cgit/inetutils.git/commit/?i...

https://lists.gnu.org/archive/html/bug-inetutils/2021-06/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2021
Vulnerability Reserved
Sep 3, 2021