CVE-2021-40491
published 2021-09-03CVE-2021-40491: The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is…
medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | inetutils | < inetutils 2:2.2-1 (bookworm) | inetutils 2:2.2-1 (bookworm) |
| gnu | inetutils | < 2.2 | 2.2 |
| gnu | inetutils | >= 0 < 2:2.0-1+deb11u1 | 2:2.0-1+deb11u1 |
| gnu | inetutils | >= 0 < 2:2.2-1 | 2:2.2-1 |
| gnu | inetutils | >= 0 < 2:2.2-1 | 2:2.2-1 |
| gnu | inetutils | >= 0 < 2:2.2-1 | 2:2.2-1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
osv3.7LOW