Vulnerability Details : CVE-2021-4189
A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
Threat overview for CVE-2021-4189
Top countries where our scanners detected CVE-2021-4189
Top open port discovered on systems with this issue
80
IPs affected by CVE-2021-4189 268,923
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-4189!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-4189
Probability of exploitation activity in the next 30 days: 0.18%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-4189
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2021-4189
-
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-4189
-
https://security.netapp.com/advisory/ntap-20221104-0004/
CVE-2021-4189 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
[SECURITY] [DLA 3477-1] python3.7 security update
-
https://security-tracker.debian.org/tracker/CVE-2021-4189
CVE-2021-4189Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
[SECURITY] [DLA 3432-1] python2.7 security update
-
https://python-security.readthedocs.io/vuln/ftplib-pasv.html
ftplib should not use the host from the PASV response — Python Security 0.0 documentationPatch;Third Party Advisory
-
https://access.redhat.com/security/cve/CVE-2021-4189
CVE-2021-4189- Red Hat Customer PortalThird Party Advisory
-
https://bugs.python.org/issue43285
Issue 43285: ftplib should not use the host from the PASV response - Python trackerPatch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2036020
2036020 – (CVE-2021-4189) CVE-2021-4189 python: ftplib should not use the host from the PASV responseIssue Tracking;Patch;Third Party Advisory
-
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
bpo-43285 Make ftplib not trust the PASV response. (GH-24838) · python/cpython@0ab152c · GitHubPatch;Third Party Advisory
Products affected by CVE-2021-4189
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:*