A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). References: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
This was fixed upstream in Ruby versions 3.0.2, 2.7.4, and 2.6.8: https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
Upstream commit in Ruby: https://git.ruby-lang.org/ruby.git/commit/?id=bf4d05173c7cf04d8892e4b64508ecf7902717cd This commit makes Net::FTP ignore IP addresses used in PASV responses by default and use the same IP address that is used for the main connection. Newly added attribute use_pasv_ip can be used to re-enable the old behaviour and make Net::FTP connect to the IP specified by the FTP server in the PASV response. This may be required with certain FTP servers. Note that Ruby 3.1 will no longer include Net::FTP in its standard library, but will rather bundle net-ftp gem. A commit for this issue in the net-ftp repo is this: https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a Fixed in net-ftp 0.1.3. The commit in the net-ftp repo also references this hackerone report: https://hackerone.com/reports/1145454 It has not been made public yet, but it's likely to get disclosed in the near future.
Note that this is the same issue as was recently fixed in curl as CVE-2020-8284 - bug 1902667.
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1980570] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 1980571] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980567] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980568] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980569]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31810
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0672 https://access.redhat.com/errata/RHSA-2022:0672
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708