Vulnerability Description
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Related Weaknesses (CWE)
References
- https://github.com/python/cpython/issues/87451
- https://github.com/python/cpython/pull/149648
- https://mail.python.org/archives/list/[email protected]/thread/ITF2BA
FAQ
What is CVE-2026-8328?
CVE-2026-8328 is a documented vulnerability. The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeer...
How severe is CVE-2026-8328?
CVSS scoring is not yet available for CVE-2026-8328. Check NVD for updates.
Is there a patch for CVE-2026-8328?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.