DescriptionPrior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3251-1, DSA-5307-1
Debian Bugs1025910

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcommons-net-java (PTS)buster3.6-1vulnerable
buster (security)3.6-1+deb10u1fixed
bullseye (security), bullseye3.6-1+deb11u1fixed
sid, trixie, bookworm3.9.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (commons-net-3.9.0-RC1)

Search for package or bug name: Reporting problems