Vulnerability identifier: #VU61681
Vulnerability risk: Medium
Exploitation vector: Network
Exploit availability: No
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. A remote attacker can set up a malicious FTP server, trick the FTP client in Python into connecting back to a given IP address and port, which can lead to FTP client scanning ports which otherwise would not have been possible.
Install updates from vendor's website.
Vulnerable software versions
Python: 3.6 - 3.9.2
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?