Lucene search

[email protected]NVD:CVE-2021-31810

HistoryJul 13, 2021 - 1:15 p.m.

CVE-2021-31810

2021-07-1313:15:09

[email protected]

web.nvd.nist.gov

ruby

vulnerability

ftp

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

EPSS

0.01

Percentile

83.7%

JSON

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

Affected configurations

Nvd

Node

fedoraprojectfedoraMatch34

AND

ruby-langrubyRange≤2.6.7

ruby-langrubyRange2.7.0–2.7.3

ruby-langrubyRange3.0.0–3.0.1

Node

debiandebian_linuxMatch9.0

Node

oraclejd_edwards_enterpriseone_toolsRange<9.2.6.1

VendorProductVersionCPE
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
ruby-langruby*cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
oraclejd_edwards_enterpriseone_tools*cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
ruby-lang	ruby	*	cpe:2.3:a:ruby-lang:ruby::::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
oracle	jd_edwards_enterpriseone_tools	*	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::