#VU70441 Insufficient verification of data authenticity in Apache Commons Net - CVE-2021-37533

Cybersecurity Help s.r.o.

Published: 2022-12-20

Vulnerability identifier: #VU70441

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-37533

CWE-ID: CWE-345

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Commons Net
Universal components / Libraries / Software for developers

Vendor: Apache Foundation

Description

The vulnerability allows an attacker to redirect victim to a malicious host.

The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Commons Net: 1.0.0 - 3.8.0

External links
https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://www.openwall.com/lists/oss-security/2022/12/03/1
https://issues.apache.org/jira/browse/NET-711

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM User Entity Behavior Analytics

Multiple vulnerabilities in Cloudera Data Platform Private Cloud Base with IBM (CDP)

Multiple vulnerabilities in IBM Knowledge Catalog for IBM Cloud Pak for Data

IBM QRadar SIEM update for Apache Commons Net

Multiple vulnerabilities in Dell Secure Connect Gateway

Multiple vulnerabilities in IBM DataStage on Cloud Pak for Data

IBM B2B Sterling Integrator update for Apache Commons Net

Multiple vulnerabilities in IBM Analytics Content Hub

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in Enterprise Manager Base Platform