CVE-2021-31810

CVSS v3.1 5.8 (Medium)

CVSS v2.0 5 (Medium)

EPSS 1.00 % (84^th)

Affected Products 4

Advisories 26

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

Weaknesses

CWE-NVD-Other

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2021-07-13 13:15:09
(3 years ago)
Updated Date: 2024-01-24 05:15:09
(7 months ago)

Affected Products

Configuration #1

AND

		CPE23	From	Up To
OR
	Ruby-lang Ruby 2.6.7 and prior versions	cpe:2.3:a:ruby-lang:ruby		<= 2.6.7
OR
	Running on/with
	Ruby-lang Ruby from 2.7.0 version and 2.7.3 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.7.0	<= 2.7.3
OR
	Running on/with
	Ruby-lang Ruby from 3.0.0 version and 3.0.1 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 3.0.0	<= 3.0.1
OR
	Running on/with
	Fedoraproject Fedora 34	cpe:2.3:o:fedoraproject:fedora:34

Configuration #2

		CPE23	From	Up To
	Debian Linux 9.0	cpe:2.3:o:debian:debian_linux:9.0

Configuration #3

		CPE23	From	Up To
	Oracle Jd Edwards Enterpriseone Tools prior 9.2.6.1 version	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools		< 9.2.6.1

Weaknesses

Affected Products

Debian

Fedoraproject

Oracle

Ruby-lang

Configuration #1

Configuration #2

Configuration #3