The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP address and port. This may make ftp client scan ports and extract service banner from private network. References: https://bugs.python.org/issue43285
Created python34 tracking bugs for this issue: Affects: epel-7 [bug 2036021]
Upstream vulnerability page: https://python-security.readthedocs.io/vuln/ftplib-pasv.html Fixed upstream in 3.6.14, 3.7.11, 3.8.9, 3.9.3, and 3.10.0. Upstream fix: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1986 https://access.redhat.com/errata/RHSA-2022:1986
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4189