{"id":"UBUNTU-CVE-2021-40491","details":"The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.","modified":"2026-02-04T03:01:08.950550Z","published":"2021-09-03T02:15:00Z","related":["USN-5177-1"],"upstream":["CVE-2021-40491"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-40491"},{"type":"REPORT","url":"https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html"},{"type":"REPORT","url":"https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd"},{"type":"REPORT","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993476"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5177-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-40491"}],"affected":[{"package":{"name":"inetutils","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/inetutils@2:1.9.2-1ubuntu0.1~esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:1.9.2-1ubuntu0.1~esm1"}]}],"versions":["2:1.9.1.306-0a482-1","2:1.9.1.363-bbc1-1","2:1.9.2-1"],"ecosystem_specific":{"binaries":[{"binary_name":"inetutils-ftp","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-ftpd","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-inetd","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-ping","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-syslogd","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-talk","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-talkd","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-telnet","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-telnetd","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-tools","binary_version":"2:1.9.2-1ubuntu0.1~esm1"},{"binary_name":"inetutils-traceroute","binary_version":"2:1.9.2-1ubuntu0.1~esm1"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-40491.json"}},{"package":{"name":"inetutils","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/inetutils@2:1.9.4-1ubuntu0.1~esm2?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:1.9.4-1ubuntu0.1~esm2"}]}],"versions":["2:1.9.4-1","2:1.9.4-1build1","2:1.9.4-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"inetutils-ftp","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-ftpd","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-inetd","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-ping","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-syslogd","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-talk","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-talkd","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-telnet","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-telnetd","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-tools","binary_version":"2:1.9.4-1ubuntu0.1~esm2"},{"binary_name":"inetutils-traceroute","binary_version":"2:1.9.4-1ubuntu0.1~esm2"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-40491.json"}},{"package":{"name":"inetutils","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/inetutils@2:1.9.4-3ubuntu0.1+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:1.9.4-3ubuntu0.1+esm1"}]}],"versions":["2:1.9.4-2build1","2:1.9.4-3","2:1.9.4-3ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"inetutils-ftp","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-ftpd","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-inetd","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-ping","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-syslogd","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-talk","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-talkd","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-telnet","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-telnetd","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-tools","binary_version":"2:1.9.4-3ubuntu0.1+esm1"},{"binary_name":"inetutils-traceroute","binary_version":"2:1.9.4-3ubuntu0.1+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-40491.json"}},{"package":{"name":"inetutils","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/inetutils@2:1.9.4-11ubuntu0.1+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:1.9.4-11ubuntu0.1+esm1"}]}],"versions":["2:1.9.4-10build1","2:1.9.4-11","2:1.9.4-11ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"inetutils-ftp","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-ftpd","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-inetd","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-ping","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-syslogd","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-talk","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-talkd","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-telnet","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-telnetd","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-tools","binary_version":"2:1.9.4-11ubuntu0.1+esm1"},{"binary_name":"inetutils-traceroute","binary_version":"2:1.9.4-11ubuntu0.1+esm1"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-40491.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}