File tree Expand file tree Collapse file tree 2 files changed +64
-0
lines changed
Expand file tree Collapse file tree 2 files changed +64
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ engine : jruby
3+ cve : 2021-31810
4+ ghsa : wr95-679j-87v9
5+ url : https://nvd.nist.gov/vuln/detail/CVE-2021-31810
6+ title : Trusting FTP PASV responses vulnerability in Net::FTP
7+ date : 2021-07-13
8+ description : |
9+ A malicious FTP server can use the PASV response to trick Net::FTP
10+ into connecting back to a given IP address and port. This potentially
11+ makes curl extract information about services that are otherwise
12+ private and not disclosed (e.g., the attacker can conduct port
13+ scans and service banner extractions).
14+ cvss_v2 : 5.0
15+ cvss_v3 : 5.8
16+ patched_versions :
17+ - " >= 9.3.0"
18+ related :
19+ url :
20+ - https://nvd.nist.gov/vuln/detail/CVE-2021-31810
21+ - https://github.com/jruby/jruby/wiki/JRuby-9.3.0.0-Release-Notes
22+ - https://github.com/jruby/jruby/issues/6825
23+ - https://github.com/jruby/jruby/pull/6802
24+ - https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a
25+ - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014818
26+ - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
27+ - https://hackerone.com/reports/1145454
28+ - https://github.com/advisories/GHSA-wr95-679j-87v9
Original file line number Diff line number Diff line change 1+ ---
2+ engine : ruby
3+ cve : 2021-31810
4+ ghsa : wr95-679j-87v9
5+ url : https://nvd.nist.gov/vuln/detail/CVE-2021-31810
6+ title : Trusting FTP PASV responses vulnerability in Net::FTP
7+ date : 2021-07-13
8+ description : |
9+ An issue was discovered in Ruby through
10+ 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.
11+ A malicious FTP server can use the PASV response to trick Net::FTP
12+ into connecting back to a given IP address and port. This potentially
13+ makes curl extract information about services that are otherwise
14+ private and not disclosed (e.g., the attacker can conduct port
15+ scans and service banner extractions).
16+ cvss_v2 : 5.0
17+ cvss_v3 : 5.8
18+ patched_versions :
19+ - " ~> 2.6.8"
20+ - " ~> 2.7.4"
21+ - " >= 3.0.2"
22+ related :
23+ url :
24+ - https://nvd.nist.gov/vuln/detail/CVE-2021-31810
25+ - https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released
26+ - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released
27+ - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released
28+ - https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp
29+ - https://hackerone.com/reports/1145454
30+ - https://security.gentoo.org/glsa/202401-27
31+ - https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html
32+ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
33+ - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
34+ - https://www.oracle.com/security-alerts/cpuapr2022.html
35+ - https://security.netapp.com/advisory/ntap-20210917-0001/
36+ - https://github.com/advisories/GHSA-wr95-679j-87v9
You can’t perform that action at this time.
0 commit comments