CVE-2021-31810 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Information disclosure
Description	A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

Group	Package	Affected	Fixed	Severity	Status
AVG-2141	logstash	7.10.2-1		High	Not affected
AVG-2140	ruby2.6	2.6.7-1	2.6.8-1	High	Fixed
AVG-2139	ruby2.7	2.7.3-1	2.7.4-1	High	Fixed
AVG-2138	ruby	3.0.1-1	3.0.2-1	High	Fixed
AVG-1906	jruby	9.2.19.0-1	9.3.0.0-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
14 Jul 2021	ASA-202107-25	AVG-2140	ruby2.6	High	multiple issues
14 Jul 2021	ASA-202107-24	AVG-2139	ruby2.7	High	multiple issues
14 Jul 2021	ASA-202107-23	AVG-2138	ruby	High	multiple issues

References
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ https://hackerone.com/reports/1145454 https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a