Vulnerability identifier: #VU70441
Vulnerability risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-345
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Commons Net
Universal components / Libraries /
Software for developers
Vendor: Apache Foundation
Description
The vulnerability allows an attacker to redirect victim to a malicious host.
The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Commons Net: 1.0.0 - 3.8.0
External links
http://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
http://www.openwall.com/lists/oss-security/2022/12/03/1
http://issues.apache.org/jira/browse/NET-711
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.