CVE-2021-37533
Untrusted Host in PASV Response vulnerability in commons-net (Maven)
What is CVE-2021-37533 About?
This vulnerability in Apache Commons Net's FTP client allows a malicious FTP server to redirect the client to a different host by trusting the host from the PASV response. This can lead to information leakage from the client's private network. Exploitation requires the user to connect to a malicious server.
Affected Software
Technical Details
Prior to Apache Commons Net 3.9.0, the FTP client within the library inherently trusted the host provided in a PASV (Passive mode) response from an FTP server. In a standard FTP session, the PASV command is used by the client to request a server to listen on a data port and respond with the server's IP address and port number for data transfer. A malicious FTP server could exploit this trust by supplying an arbitrary, potentially internal, IP address or hostname in its PASV response. The Commons Net client would then attempt to establish a data connection to this untrusted, potentially internal, host. This action can inadvertently expose information about services running on the client's private network to the malicious server.
What is the Impact of CVE-2021-37533?
Successful exploitation may allow attackers to leak sensitive information about internal network services or topology, or facilitate further attacks by mapping internal networks.
What is the Exploitability of CVE-2021-37533?
Exploitation of this vulnerability has moderate complexity, as it requires the user of the client application to voluntarily connect to a malicious FTP server. There are no specific authentication or privilege requirements on the client side, beyond initiating an FTP connection. The attack is remote, initiated by the malicious server's control over the PASV response. The primary constraint is convincing a victim to connect to the attacker-controlled server. The risk of exploitation increases if users are prompted to connect to FTP servers from untrusted sources or if a legitimate FTP server is compromised and turned malicious.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-37533?
Available Upgrade Options
- commons-net:commons-net
- <3.9.0 → Upgrade to 3.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://issues.apache.org/jira/browse/NET-711
- https://www.debian.org/security/2022/dsa-5307
- https://nvd.nist.gov/vuln/detail/CVE-2021-37533
- https://osv.dev/vulnerability/GHSA-cgp8-4m63-fhh5
- https://github.com/apache/commons-net
- https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
- http://www.openwall.com/lists/oss-security/2022/12/03/1
- https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
- https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html
- https://www.debian.org/security/2022/dsa-5307
What are Similar Vulnerabilities to CVE-2021-37533?
Similar Vulnerabilities: CVE-2023-47000 , CVE-2023-46633 , CVE-2023-46632 , CVE-2023-46631 , CVE-2023-46630
