CVE-2021-4189

Description

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

How to fix CVE-2021-4189

To remediate CVE-2021-4189, upgrade the affected package to a fixed version below.

• —upgrade to 3.6.14 or later
• —upgrade to 3.6.14 or later
• —upgrade to 3.6.14 or later
• —upgrade to 7.3.5+dfsg-2 or later
• —no fix listed
• —upgrade to 3.9.2-1+deb11u2 or later

Is CVE-2021-4189 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.3, >= 3.10.0, < 3.10.1
• >= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.3, >= 3.10.0, < 3.10.1
• >= 3.6.0, < 3.6.14, >= 3.7.0, < 3.7.11, >= 3.8.0, < 3.8.9, >= 3.9.0, < 3.9.3, >= 3.10.0, < 3.10.1
• from 0, < 7.3.5+dfsg-2
• from 0
• from 0, < 3.9.2-1+deb11u2

CVSS scores

References (11)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-4189
• WEBaccess.redhat.com/security/cve/CVE-2021-4189
• WEBbugs.python.org/issue43285
• WEBbugzilla.redhat.com/show_bug.cgi?id=2036020
• WEB