{"api_version":"1","generated_at":"2026-04-23T00:40:34+00:00","cve":"CVE-2021-4189","urls":{"html":"https://cve.report/CVE-2021-4189","api":"https://cve.report/api/cve/CVE-2021-4189.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-4189","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-4189"},"summary":{"title":"CVE-2021-4189","description":"A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-08-24 16:15:00","updated_at":"2023-06-30 23:15:00"},"problem_types":["CWE-252"],"metrics":[],"references":[{"url":"https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e","name":"https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e","refsource":"MISC","tags":[],"title":"bpo-43285 Make ftplib not trust the PASV response. (GH-24838) · python/cpython@0ab152c · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20221104-0004/","name":"https://security.netapp.com/advisory/ntap-20221104-0004/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-4189 Python Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html","name":"[debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3477-1] python3.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html","name":"[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3432-1] python2.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugs.python.org/issue43285","name":"https://bugs.python.org/issue43285","refsource":"MISC","tags":[],"title":"Issue 43285: ftplib should not use the host from the PASV response - Python tracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security-tracker.debian.org/tracker/CVE-2021-4189","name":"https://security-tracker.debian.org/tracker/CVE-2021-4189","refsource":"MISC","tags":[],"title":"CVE-2021-4189","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2021-4189","name":"https://access.redhat.com/security/cve/CVE-2021-4189","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2036020","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2036020","refsource":"MISC","tags":[],"title":"2036020 – (CVE-2021-4189) CVE-2021-4189 python: ftplib should not use the host from the PASV response","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://python-security.readthedocs.io/vuln/ftplib-pasv.html","name":"https://python-security.readthedocs.io/vuln/ftplib-pasv.html","refsource":"MISC","tags":[],"title":"ftplib should not use the host from the PASV response — Python Security 0.0 documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-4189","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4189","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"ontap_select_deploy_administration_utility","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"3.10.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"4189","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"software_collections","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-4189","qid":"159808","title":"Oracle Enterprise Linux Security Update for python3 (ELSA-2022-1986)"},{"cve":"CVE-2021-4189","qid":"159819","title":"Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2022-1821)"},{"cve":"CVE-2021-4189","qid":"179069","title":"Debian Security Update for python2.7 (DLA 2919-1)"},{"cve":"CVE-2021-4189","qid":"181802","title":"Debian Security Update for python2.7 (DLA 3432-1)"},{"cve":"CVE-2021-4189","qid":"198714","title":"Ubuntu Security Notification for Python Vulnerabilities (USN-5342-1)"},{"cve":"CVE-2021-4189","qid":"240254","title":"Red Hat Update for python27-python and python27-python-pip (RHSA-2022:1663)"},{"cve":"CVE-2021-4189","qid":"240302","title":"Red Hat Update for python27:2.7 (RHSA-2022:1821)"},{"cve":"CVE-2021-4189","qid":"240313","title":"Red Hat Update for python3 (RHSA-2022:1986)"},{"cve":"CVE-2021-4189","qid":"282427","title":"Fedora Security Update for python2.7 (FEDORA-2022-18ad73aba6)"},{"cve":"CVE-2021-4189","qid":"282428","title":"Fedora Security Update for python2.7 (FEDORA-2022-ef99a016f6)"},{"cve":"CVE-2021-4189","qid":"353942","title":"Amazon Linux Security Advisory for python : ALAS2-2022-1802"},{"cve":"CVE-2021-4189","qid":"353955","title":"Amazon Linux Security Advisory for python27 : ALAS-2022-1593"},{"cve":"CVE-2021-4189","qid":"6000019","title":"Debian Security Update for python3.7 (DLA 3477-1)"},{"cve":"CVE-2021-4189","qid":"671550","title":"EulerOS Security Update for python3 (EulerOS-SA-2022-1582)"},{"cve":"CVE-2021-4189","qid":"671614","title":"EulerOS Security Update for python2 (EulerOS-SA-2022-1581)"},{"cve":"CVE-2021-4189","qid":"671634","title":"EulerOS Security Update for python3 (EulerOS-SA-2022-1664)"},{"cve":"CVE-2021-4189","qid":"671643","title":"EulerOS Security Update for python3 (EulerOS-SA-2022-1650)"},{"cve":"CVE-2021-4189","qid":"671674","title":"EulerOS Security Update for python (EulerOS-SA-2022-1757)"},{"cve":"CVE-2021-4189","qid":"671858","title":"EulerOS Security Update for python (EulerOS-SA-2022-1911)"},{"cve":"CVE-2021-4189","qid":"751895","title":"SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2022:0882-1)"},{"cve":"CVE-2021-4189","qid":"751961","title":"OpenSUSE Security Update for python (openSUSE-SU-2022:1091-1)"},{"cve":"CVE-2021-4189","qid":"751976","title":"SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:1140-1)"},{"cve":"CVE-2021-4189","qid":"751979","title":"SUSE Enterprise Linux Security Update for python (SUSE-SU-2022:1091-1)"},{"cve":"CVE-2021-4189","qid":"940499","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2022:1821)"},{"cve":"CVE-2021-4189","qid":"940530","title":"AlmaLinux Security Update for python3 (ALSA-2022:1986)"},{"cve":"CVE-2021-4189","qid":"960259","title":"Rocky Linux Security Update for python27:2.7 (RLSA-2022:1821)"},{"cve":"CVE-2021-4189","qid":"960408","title":"Rocky Linux Security Update for python3 (RLSA-2022:1986)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-4189","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"python","version":{"version_data":[{"version_value":"Fixed in python 3.6.14, python 3.7.11, python 3.8.9, python 3.9.3, python 3.10.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Not-Known"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugs.python.org/issue43285","url":"https://bugs.python.org/issue43285"},{"refsource":"MISC","name":"https://python-security.readthedocs.io/vuln/ftplib-pasv.html","url":"https://python-security.readthedocs.io/vuln/ftplib-pasv.html"},{"refsource":"MISC","name":"https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e","url":"https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e"},{"refsource":"MISC","name":"https://security-tracker.debian.org/tracker/CVE-2021-4189","url":"https://security-tracker.debian.org/tracker/CVE-2021-4189"},{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2036020","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2036020"},{"refsource":"MISC","name":"https://access.redhat.com/security/cve/CVE-2021-4189","url":"https://access.redhat.com/security/cve/CVE-2021-4189"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20221104-0004/","url":"https://security.netapp.com/advisory/ntap-20221104-0004/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update","url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security update","url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible."}]}},"nvd":{"publishedDate":"2022-08-24 16:15:00","lastModifiedDate":"2023-06-30 23:15:00","problem_types":["CWE-252"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9.0","versionEndExcluding":"3.9.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.8.0","versionEndExcluding":"3.8.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7.0","versionEndExcluding":"3.7.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6.0","versionEndExcluding":"3.6.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:3.10.0:-:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"4189","Ordinal":"224377","Title":"CVE-2021-4189","CVE":"CVE-2021-4189","Year":"2021"},"notes":[]}}}