#VU70441 Insufficient verification of data authenticity in Apache Commons Net

Published: 2022-12-20

Vulnerability identifier: #VU70441

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37533


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Commons Net
Universal components / Libraries / Software for developers

Vendor: Apache Foundation


The vulnerability allows an attacker to redirect victim to a malicious host.

The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.

Install updates from vendor's website.

Vulnerable software versions

Apache Commons Net: 1.0.0 - 3.8.0

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability