CVE-2021-31810
Public on 2021-07-13
Modified on 2024-02-22
Description
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | ruby | No Fix Planned | ||
| Amazon Linux 2 - Core | ruby | 2024-04-24 | ALAS2-2024-2534 | Fixed |
| Amazon Linux 2 - Ruby2.6 Extra | ruby | 2023-08-21 | ALAS2RUBY2.6-2023-004 | Fixed |
| Amazon Linux 2 - Ruby3.0 Extra | ruby | 2023-08-21 | ALAS2RUBY3.0-2023-005 | Fixed |
| Amazon Linux 2023 | ruby3.2 | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| NVD | CVSSv3 | 5.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |