{
  "threat_severity" : "Moderate",
  "public_date" : "2023-02-15T00:00:00Z",
  "bugzilla" : {
    "description" : "apache-commons-net: FTP client trusts the host from PASV response by default",
    "id" : "2169924",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2169924"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.", "A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client." ],
  "affected_release" : [ {
    "product_name" : "RHINT Camel-Q 2.13.3",
    "release_date" : "2023-06-19T00:00:00Z",
    "advisory" : "RHSA-2023:3667",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.13",
    "package" : "apache-commons-net"
  }, {
    "product_name" : "RHINT Camel-Springboot 3.20.1",
    "release_date" : "2023-05-03T00:00:00Z",
    "advisory" : "RHSA-2023:2100",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1",
    "package" : "apache-commons-net"
  } ],
  "package_state" : [ {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/elasticsearch6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Migration Toolkit for Applications 6",
    "fix_state" : "Will not fix",
    "package_name" : "io.netty-netty-tcnative-parent",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6"
  }, {
    "product_name" : "Migration Toolkit for Applications 6",
    "fix_state" : "Not affected",
    "package_name" : "org.jboss.windup-windup-parent",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6"
  }, {
    "product_name" : "Migration Toolkit for Runtimes",
    "fix_state" : "Will not fix",
    "package_name" : "io.netty-netty-tcnative-parent",
    "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1"
  }, {
    "product_name" : "Migration Toolkit for Runtimes",
    "fix_state" : "Not affected",
    "package_name" : "org.jboss.windup-windup-parent",
    "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Will not fix",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "log4j:2/log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "pki-deps:10.6/apache-commons-net",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Out of support scope",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Out of support scope",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Out of support scope",
    "package_name" : "apache-commons-net",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-maven36-apache-commons-net",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-37533\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37533" ],
  "name" : "CVE-2021-37533",
  "csaw" : false
}