IBM App Connect Enterprise Certified Container update for Apache Commons Net



Published: 2023-04-28
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-37533
CWE-ID CWE-345
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		App Connect Enterprise Certified Container
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficient verification of data authenticity

EUVDB-ID: #VU70441

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37533

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows an attacker to redirect victim to a malicious host.

The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

App Connect Enterprise Certified Container: before 8.1.0

External links

http://www.ibm.com/support/pages/node/6987053


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###