|
Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="18508af8-e496-11eb-b79d-0800270512f4"> |
| 2 |
<topic>rubygem-net-ftp -- Trusting FTP PASV responses vulnerability in Net::FTP</topic> |
| 3 |
<affects> |
| 4 |
<package> |
| 5 |
<name>ruby</name> |
| 6 |
<range><ge>2.6.0,1</ge><lt>2.6.8,1</lt></range> |
| 7 |
<range><ge>2.7.0,1</ge><lt>2.7.4,1</lt></range> |
| 8 |
<range><ge>3.0.0,1</ge><lt>3.0.2,1</lt></range> |
| 9 |
</package> |
| 10 |
<package> |
| 11 |
<name>rubygem-net-ftp</name> |
| 12 |
<range><lt>0.1.3</lt></range> |
| 13 |
</package> |
| 14 |
</affects> |
| 15 |
<description> |
| 16 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 17 |
<p>Alexandr Savca reports:</p> |
| 18 |
<blockquote cite="https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/"> |
| 19 |
<p> |
| 20 |
A malicious FTP server can use the PASV response to trick |
| 21 |
Net::FTP into connecting back to a given IP address and port. |
| 22 |
This potentially makes Net::FTP extract information about |
| 23 |
services that are otherwise private and not disclosed |
| 24 |
(e.g., the attacker can conduct port scans and service banner |
| 25 |
extractions). |
| 26 |
</p> |
| 27 |
</blockquote> |
| 28 |
</body> |
| 29 |
</description> |
| 30 |
<references> |
| 31 |
<cvename>CVE-2021-31810</cvename> |
| 32 |
<url>https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/</url> |
| 33 |
</references> |
| 34 |
<dates> |
| 35 |
<discovery>2021-07-07</discovery> |
| 36 |
<entry>2021-07-14</entry> |
| 37 |
</dates> |
| 38 |
</vuln> |
| 39 |
|
| 1 |
<vuln vid="c365536d-e3cf-11eb-9d8d-b37b683944c2"> |
40 |
<vuln vid="c365536d-e3cf-11eb-9d8d-b37b683944c2"> |
| 2 |
<topic>go -- crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters</topic> |
41 |
<topic>go -- crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters</topic> |
| 3 |
<affects> |
42 |
<affects> |
| 4 |
- |
|
|