CVE-2021-31810

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.6.8 Ruby versions 2.7.x through 2.7.3 Ruby versions 3.x through 3.0.1

Description The issue is related to the implementation of the Net::FTP class in the Ruby interpreter, which has weaknesses in protecting service data using the PASV command. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port, potentially allowing an attacker to extract information about private services, conduct port scans, and service banner extractions.

Recommendations For Ruby versions prior to 2.6.8, update to version 2.6.8 or later. For Ruby versions 2.7.x through 2.7.3, update to version 2.7.4 or later. For Ruby versions 3.x through 3.0.1, update to version 3.0.2 or later. As a temporary workaround, consider restricting the use of the Net::FTP class until a patch is available.