6.5 CVE-2021-40491

Patch

 

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.
https://nvd.nist.gov/vuln/detail/CVE-2021-40491

Categories

CWE-345 : Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:gnu:inetutils:*:*:*:*:*:*:*:* < 2.2

Patch

Url
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd

Exploits

Exploit-db.com
id description date
No known exploits
Other (github, ...)
Url
No known exploits

CAPEC

id description severity
701 Browser in the Middle (BiTM)
High
148 Content Spoofing
Medium
218 Spoofing of UDDI/ebXML Messages
Medium
111 JSON Hijacking (aka JavaScript Hijacking)
High
665 Exploitation of Thunderbolt Protection Flaws
Very High
141 Cache Poisoning
High
142 DNS Cache Poisoning
High
384 Application API Message Manipulation via Man-in-the-Middle
Low
385 Transaction or Event Tampering via Application API Manipulation
Medium
386 Application API Navigation Remapping
Medium
387 Navigation Remapping To Propagate Malicious Content
Medium
388 Application API Button Hijacking
Medium

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution