CVE-2021-4189 — MEDIUM (5.3)

Q: How severe is CVE-2021-4189?

CVE-2021-4189 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-4189?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Debian Debian Linux, Redhat Software Collections, Redhat Enterprise Linux, Netapp Ontap Select Deploy Administration Utility.

Vulnerability Description

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Python	Python	>= 3.6.0, < 3.6.14
Debian	Debian Linux	10.0
Redhat	Software Collections	-
Redhat	Enterprise Linux	8.0
Netapp	Ontap Select Deploy Administration Utility	-

Related Weaknesses (CWE)

CWE-252

References

https://access.redhat.com/security/cve/CVE-2021-4189Third Party Advisory
https://bugs.python.org/issue43285PatchVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2036020Issue TrackingPatchThird Party Advisory
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://python-security.readthedocs.io/vuln/ftplib-pasv.htmlPatchThird Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-4189Third Party Advisory
https://security.netapp.com/advisory/ntap-20221104-0004/Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-4189Third Party Advisory
https://bugs.python.org/issue43285PatchVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2036020Issue TrackingPatchThird Party Advisory
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html

FAQ

What is CVE-2021-4189?

CVE-2021-4189 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. T...

How severe is CVE-2021-4189?

CVE-2021-4189 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-4189?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Debian Debian Linux, Redhat Software Collections, Redhat Enterprise Linux, Netapp Ontap Select Deploy Administration Utility.