Bug 2036020 (CVE-2021-4189) - CVE-2021-4189 python: ftplib should not use the host from the PASV response
Summary: CVE-2021-4189 python: ftplib should not use the host from the PASV response
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4189
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2036021 2036345 2036346 2036347 2036349 2036350 2036351 2036352 2036353 2036354 2036355 2064444 2064445
Blocks: 2034737 2036048
TreeView+ depends on / blocked
 
Reported: 2021-12-29 10:28 UTC by Dhananjay Arunesh
Modified: 2023-09-26 18:39 UTC (History)
24 users (show)

Fixed In Version: python 3.6.14, python 3.7.11, python 3.8.9, python 3.9.3, python 3.10.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
Clone Of:
Environment:
Last Closed: 2022-05-11 14:15:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1663 0 None None None 2022-05-02 08:05:19 UTC
Red Hat Product Errata RHSA-2022:1821 0 None None None 2022-05-10 13:39:35 UTC
Red Hat Product Errata RHSA-2022:1986 0 None None None 2022-05-10 14:44:12 UTC

Description Dhananjay Arunesh 2021-12-29 10:28:46 UTC 
The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP address and port. This may make ftp client scan ports and extract service banner from private network.

References:
https://bugs.python.org/issue43285
Comment 1 Dhananjay Arunesh 2021-12-29 10:29:27 UTC 
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 2036021]
Comment 9 Tomas Hoger 2022-03-24 21:04:25 UTC 
Upstream vulnerability page:

https://python-security.readthedocs.io/vuln/ftplib-pasv.html

Fixed upstream in 3.6.14, 3.7.11, 3.8.9, 3.9.3, and 3.10.0.

Upstream fix:

https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
Comment 10 errata-xmlrpc 2022-05-02 08:05:16 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663
Comment 11 errata-xmlrpc 2022-05-10 13:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821
Comment 12 errata-xmlrpc 2022-05-10 14:44:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1986 https://access.redhat.com/errata/RHSA-2022:1986
Comment 13 Product Security DevOps Team 2022-05-11 14:15:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4189
Note You need to log in before you can comment on or make changes to this bug.