VDB
CVE-2021-40491
CVE-2021-40491
PUBLISHED
CVSS 6.5 MEDIUM
The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.
EPSS 0.34% · 56.8th percentile
Risk Scores
CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score
0.34%
56.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| gnu | inetutils | 0 |
| n/a | n/a | n/a |
| debian | debian_linux | 10.0 |
Timeline
- Sep 3, 2021 CVE Published
- Sep 3, 2021 EPSS Score
- Oct 31, 2021 EPSS Score
- Dec 28, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 23, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 22, 2022 EPSS Score
- Jun 19, 2022 EPSS Score
- Aug 17, 2022 EPSS Score
- Oct 14, 2022 EPSS Score
- Dec 11, 2022 EPSS Score
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993476 url
- https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd url
- https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html url
- [debian-lts-announce] 20221125 [SECURITY] [DLA 3205-1] inetutils security update mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2021-40491 advisory