CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS
Percentile
83.7%
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x
through 3.0.1. A malicious FTP server can use the PASV response to trick
Net::FTP into connecting back to a given IP address and port. This
potentially makes curl extract information about services that are
otherwise private and not disclosed (e.g., the attacker can conduct port
scans and service banner extractions).
Author | Note |
---|---|
leosilva | for xenial, the backport can be kind of intrusive. for now ignoring it. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 16.04 | noarch | ruby2.3 | < 2.3.1-2~ubuntu16.04.16+esm1 | UNKNOWN |
ubuntu | 18.04 | noarch | ruby2.5 | < 2.5.1-1ubuntu1.10 | UNKNOWN |
ubuntu | 20.04 | noarch | ruby2.7 | < 2.7.0-5ubuntu1.5 | UNKNOWN |
ubuntu | 20.10 | noarch | ruby2.7 | < 2.7.1-3ubuntu1.4 | UNKNOWN |
ubuntu | 21.04 | noarch | ruby2.7 | < 2.7.2-4ubuntu1.2 | UNKNOWN |
ubuntu | 21.10 | noarch | ruby2.7 | < 2.7.4-1ubuntu1 | UNKNOWN |
github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
hackerone.com/reports/1145454
launchpad.net/bugs/cve/CVE-2021-31810
nvd.nist.gov/vuln/detail/CVE-2021-31810
security-tracker.debian.org/tracker/CVE-2021-31810
ubuntu.com/security/notices/USN-5020-1
www.cve.org/CVERecord?id=CVE-2021-31810
www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS
Percentile
83.7%