Description

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

Remediation

References

CVE-2021-31810

Related Vulnerabilities

WordPress Plugin Share Buttons by AddThis Cross-Site Scripting (4.0.7)

Oracle Database Server Other Vulnerability (CVE-2005-3445)

WordPress Plugin 2Way VideoCalls and Random Chat-HTML5 Webcam Videochat Cross-Site Scripting (4.41)

Joomla Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2015-7857)

Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7872)

Severity

Medium

Classification

CVE-2021-31810 CWE-668 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities