CVE-2021-37533 — Improper Input Validation in Software Foundation Apache Commons NET
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 51.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 3
Latest updateJul 15
Description
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages3 packages
Also affects: Debian Linux 10.0, 11.0
🔴Vulnerability Details
3📋Vendor Advisories
10Oracle▶
Oracle Oracle Communications Applications Risk Matrix: JCA Adaptor (Apache Commons Net) — CVE-2021-37533↗2024-07-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: General (Apache Commons Net) — CVE-2021-37533↗2024-04-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Order and Service Management (Apache Commons Net) — CVE-2021-37533↗2024-01-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (Apache Commons Net) — CVE-2021-37533↗2023-10-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Other (Apache Commons Net) — CVE-2021-37533↗2023-07-15