CVE-2021-40491

Summary

CVE	CVE-2021-40491
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-09-03 02:15:00 UTC
Updated	2023-02-03 19:02:00 UTC
Description	The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.

Risk And Classification

Problem Types: CWE-345

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Application	Gnu	Inetutils	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] [DLA 3205-1] inetutils security update	MLIST	lists.debian.org
#993476 - inetutils: security bug in ftp client - Debian Bug report logs	MISC	bugs.debian.org
inetutils.git - GNU Inetutils	MISC	git.savannah.gnu.org
scurity issue in inetutils ftp client	MISC	lists.gnu.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

181031 Debian Security Update for inetutils (CVE-2021-40491)
181247 Debian Security Update for inetutils (DLA 3205-1)