BIT-ruby-2021-31810

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/ruby/BIT-ruby-2021-31810.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-ruby-2021-31810
Aliases
Published
2024-03-06T11:05:20.162Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

References

Affected packages

Bitnami / ruby

Package

Name
ruby
Purl
pkg:bitnami/ruby

Severity

  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.7
Introduced
2.7.0
Fixed
2.7.3
Introduced
3.0.0
Fixed
3.0.1