CVE-2021-37533

NameCVE-2021-37533
DescriptionPrior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3251-1, DSA-5307-1, ELA-759-1
Debian Bugs1025910

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-net-java (PTS)stretch (lts), stretch3.6-1+deb9u1fixed
buster (security), buster, buster (lts)3.6-1+deb10u1fixed
bullseye (security), bullseye3.6-1+deb11u1fixed
sid, trixie, bookworm3.9.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcommons-net-javasourcestretch3.6-1+deb9u1ELA-759-1
libcommons-net-javasourcebuster3.6-1+deb10u1DLA-3251-1
libcommons-net-javasourcebullseye3.6-1+deb11u1DSA-5307-1
libcommons-net-javasource(unstable)3.9.0-11025910

Notes

https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://issues.apache.org/jira/browse/NET-711
https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974 (commons-net-3.9.0-RC1)
Search for package or bug name: Reporting problems