Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2021-31810

Public on 2021-07-13
Modified on 2024-02-22
Description

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

Severity
Medium
See what this means
CVSS v3 Base Score
5.4
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core ruby 2024-04-24 22:15 ALAS2-2024-2534
Amazon Linux 2 - Ruby2.6 Extra ruby 2023-08-21 20:59 ALAS2RUBY2.6-2023-004
Amazon Linux 2 - Ruby3.0 Extra ruby 2023-08-21 20:59 ALAS2RUBY3.0-2023-005

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
NVD CVSSv3 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

References

Red Hat: CVE-2021-31810 Mitre: CVE-2021-31810 FAQs regarding Amazon Linux ALAS/CVE Severity