CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default

Published Dec 3, 2022
·
Updated

A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.

Other sources

Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system.

IBM

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does.

https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 https://issues.apache.org/jira/browse/NET-711 https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974

Red Hat

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Affected Software

6 affected componentsFixes available
debian/libcommons-net-java<=3.6-1
3.6-1+deb10u13.6-1+deb11u13.9.0-1
redhat/apache-commons-net<3.9.0
3.9.0
IBM Cognos Command Center<=10.2.4.1
Apache Commons Net<3.9.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0

Event History

Dec 3, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Dec 11, 2022
Data Sourced
08:06 PM
SeverityAffected Software
Feb 15, 2023
Data Sourced
12:00 AM
RemedyDescriptionWeakness
Data Sourced
via Red Hat·06:17 AM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID?

The vulnerability ID is CVE-2021-37533.

2

What is the severity of CVE-2021-37533?

The severity of CVE-2021-37533 is medium with a CVSS score of 6.5.

3

What is the affected software by CVE-2021-37533?

The affected software includes Apache Commons Net version up to and exclusive of 3.9.0 and IBM Disconnected Log Collector versions up to and inclusive of v1.0 - v1.8.2.

4

How does CVE-2021-37533 work?

CVE-2021-37533 allows a malicious server to redirect the Apache Commons Net code to use a different host, potentially leading to information leakage.

5

How can I fix CVE-2021-37533?

To fix CVE-2021-37533, update to Apache Common Net version 3.9.0 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203