UBUNTU-CVE-2021-37533

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-37533

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-37533.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-37533

Related

Published

2022-12-03T15:15:00Z

Modified

2022-12-03T15:15:00Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

References

Affected packages

Ubuntu:Pro:16.04:LTS / libcommons-net-java

Package

Name: libcommons-net-java
Purl: pkg:deb/ubuntu/libcommons-net-java?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4-2ubuntu2+esm1

Affected versions

3.*

3.3-2

3.4-1

3.4-2

3.4-2ubuntu2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "3.4-2ubuntu2+esm1",
            "binary_name": "libcommons-net-java"
        },
        {
            "binary_version": "3.4-2ubuntu2+esm1",
            "binary_name": "libcommons-net-java-doc"
        }
    ]
}

Ubuntu:18.04:LTS / libcommons-net-java

Package

Name: libcommons-net-java
Purl: pkg:deb/ubuntu/libcommons-net-java?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6-1+deb11u1build0.18.04.1

Affected versions

3.*

3.6-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "3.6-1+deb11u1build0.18.04.1",
            "binary_name": "libcommons-net-java"
        },
        {
            "binary_version": "3.6-1+deb11u1build0.18.04.1",
            "binary_name": "libcommons-net-java-doc"
        }
    ]
}

Ubuntu:20.04:LTS / libcommons-net-java

Package

Name: libcommons-net-java
Purl: pkg:deb/ubuntu/libcommons-net-java?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6-1+deb11u1build0.20.04.1

Affected versions

3.*

3.6-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "3.6-1+deb11u1build0.20.04.1",
            "binary_name": "libcommons-net-java"
        },
        {
            "binary_version": "3.6-1+deb11u1build0.20.04.1",
            "binary_name": "libcommons-net-java-doc"
        }
    ]
}

Ubuntu:22.04:LTS / libcommons-net-java

Package

Name: libcommons-net-java
Purl: pkg:deb/ubuntu/libcommons-net-java?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6-1+deb11u1build0.22.04.1

Affected versions

3.*

3.6-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "3.6-1+deb11u1build0.22.04.1",
            "binary_name": "libcommons-net-java"
        },
        {
            "binary_version": "3.6-1+deb11u1build0.22.04.1",
            "binary_name": "libcommons-net-java-doc"
        }
    ]
}