CVE-2021-40491
6.5 MEDIUMThe ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server...
Published: 2021-09-03 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- CWE
- CWE-345
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, inetutils |
| gnu | debian_linux, inetutils |
Description
The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40491
- [Other]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993476
- [Patch]https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd
- [Other]https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html
- [Vendor advisory]https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html
- [Other]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993476
- [Patch]https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd
- [Other]https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html
- [Vendor advisory]https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html
Related CVEs
Same vendor
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-42009 — A flaw was found in gnutls (7.5 HIGH)
- CVE-2026-42010 — A flaw was found in gnutls (7.1 HIGH)
- CVE-2026-3833 — A flaw was found in gnutls (6.5 MEDIUM)
- CVE-2026-3832 — A flaw was found in gnutls (3.7 LOW)
Same CWE
- CVE-2026-53862 — OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with... (4.2 MEDIUM)
- CVE-2026-53900 — Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a mali... (4.3 MEDIUM)
- CVE-2026-53899 — Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to rece... (6.5 MEDIUM)
- CVE-2026-47777 — Mastodon is a free, open-source social network server based on ActivityPub (7.5 HIGH)
- CVE-2026-53406 — Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an au... (7.8 HIGH)