DEBIAN-CVE-2021-37533

DEBIAN-CVE-2021-37533 PUBLISHED CVSS 6.5 MEDIUM

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:12	libcommons-net-java	0, 0, 0
Debian:11	libcommons-net-java	3.6-1, 0, 0
Debian:14	libcommons-net-java	0, 0, 0
Debian:13	libcommons-net-java	0, 0, 0

Exploit Intelligence

owaspSuppressions.xml (github-poc)

Timeline

Dec 3, 2022 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2021-37533 advisory

Open in Interactive Console →