CVE-2021-37533

Name of the Vulnerable Software and Affected Versions Apache Commons Net versions prior to 3.9.0

Description The issue is related to the FTP client in Apache Commons Net, which trusts the host from PASV response by default. This allows a malicious server to redirect the Commons Net code to use a different host, potentially leading to leakage of information about services running on the private network of the client. The default behavior was changed in version 3.9.0 to ignore such hosts.

Recommendations For versions prior to 3.9.0, update to version 3.9.0 or later to change the default behavior and ignore hosts from PASV responses. As a temporary workaround, consider configuring the FTP client to not trust hosts from PASV responses.