Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-4189

Published: 31 December 2021

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
python3.10
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Not vulnerable
(3.10.0-2)
jammy Not vulnerable
(3.10.0-2)
trusty Does not exist

upstream Needs triage

xenial Does not exist

bionic Does not exist

focal Does not exist

kinetic Not vulnerable
(3.10.0-2)
lunar Does not exist

mantic Does not exist

Patches:
upstream: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e



python3.4
Launchpad, Ubuntu, Debian
impish Does not exist

jammy Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04.7+esm12)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
upstream Needed

xenial Does not exist

bionic Does not exist

focal Does not exist

hirsute Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

trusty Needed

upstream Needed

xenial
Released (3.5.2-2ubuntu0~16.04.13+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
kinetic Does not exist

lunar Does not exist

mantic Does not exist

python3.6
Launchpad, Ubuntu, Debian
bionic
Released (3.6.9-1~18.04ubuntu1.7)
focal Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

xenial Does not exist

upstream
Released (3.6.14)
kinetic Does not exist

lunar Does not exist

mantic Does not exist

Patches:

upstream: https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88


python3.7
Launchpad, Ubuntu, Debian
focal Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

xenial Does not exist

bionic Needed

upstream
Released (3.7.11)
kinetic Does not exist

lunar Does not exist

mantic Does not exist

Patches:


upstream: https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33

python3.8
Launchpad, Ubuntu, Debian
hirsute Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

xenial Does not exist

bionic Needed

focal Not vulnerable

upstream Needed

kinetic Does not exist

lunar Does not exist

mantic Does not exist

python3.9
Launchpad, Ubuntu, Debian
bionic Does not exist

jammy Does not exist

trusty Does not exist

xenial Does not exist

hirsute Ignored
(end of life)
focal Not vulnerable
(3.9.5-3ubuntu0~20.04.1)
impish Not vulnerable
(3.9.7-2build1)
upstream
Released (3.9.7-1)
kinetic Does not exist

lunar Does not exist

mantic Does not exist

Patches:



upstream: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335
python2.7
Launchpad, Ubuntu, Debian
upstream Needs triage

bionic
Released (2.7.17-1~18.04ubuntu1.7)
focal
Released (2.7.18-1~20.04.3+esm1)
Available with Ubuntu Pro
hirsute Ignored
(end of life)
impish Ignored
(end of life)
trusty
Released (2.7.6-8ubuntu0.6+esm12)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (2.7.12-1ubuntu0~16.04.18+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
kinetic Ignored
(end of life, was needed)
lunar Does not exist

jammy
Released (2.7.18-13ubuntu1.1+esm2)
Available with Ubuntu Pro
mantic Does not exist

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N