BIT-PYTHON-MIN-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

BIT-PYTHON-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

UBUNTU-CVE-2026-8328

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

PSF-2026-24

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

CVE-2026-8328

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

MiracleLinux 8 : python3-3.6.8-45.el8.ML.1 (AXSA:2022-3487:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-3487:01 advisory. python: ftplib should not use the host from the PASV response CVE-2021-4189 python: urllib: HTTP client possible infinite loop on a 100 Continue...

Alibaba Cloud Linux 3 : 0170: python3 (ALINUX3-SA-2022:0170)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0170 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2015-20107: In Python aka CPython...

Linux Distros Unpatched Vulnerability : CVE-2021-4189

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Python, specifically in the FTP File Transfer Protocol client library in PASV passive mode. The issue is how the FTP client trusts the host...

Fedora 37 : python2.7 (2022-b8559307db)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-b8559307db advisory. Automatic update for python2.7-2.7.18-20.fc37. Changelog Wed Feb 16 2022 Charalampos Stratakis - 2.7.18-20 - Security fixes for CVE-2021-4189 and...

Ubuntu: Security Advisory (USN-6891-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian: Security Advisory (DLA-3477-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian dla-3477 : idle-python3.7 - security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3477 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3477-1 [email protected]...

[SECURITY] [DLA 3477-1] python3.7 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3477-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk June 30, 2023 https://wiki.debian.org/LTS -...

[SECURITY] [DLA 3432-1] python2.7 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3432-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler May 24, 2023 https://wiki.debian.org/LTS -...

SUSE CVE-2021-4189

A flaw was found in Python, specifically in the FTP File Transfer Protocol client library in PASV passive mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecti...

Huawei EulerOS: Security Advisory for python (EulerOS-SA-2023-1284)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu: Security Advisory (USN-5342-3)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a possible sensitive information exposure in Python (CVE-2021-4189).

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a possible sensitive information exposure in Python, caused by a flaw when using the FTP client library in PASV passive mode. CVE-2021-4189. Python is used in the base operating system used by IBM Watson...

Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2022-2586)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS Virtualization 3.0.6.0 : python3 (EulerOS-SA-2022-2586)

According to the versions of the python3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaw was found in Python, specifically in the FTP File Transfer Protocol client library in PASV passive mode. The issue is how...