i found this vulnerability CVE-2021-4189 (https://bugzilla.redhat.com/show_bug.cgi?id=2036020) in ftblib library in python
CVE description : A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
now i am confused if this vulnerability affected my code using a ftp upload in passive mode as below or should i use ftp.set_pasv(False) to use active mode only
# Init Connection
ftp = FTP()
ftp.connect(FTP_ADDRESS, FTP_PORT)
ftp.login(*FTP_CREDENTIALS)
Yes, your code would be vulnerable, if you did not update to a fixed version of Python yet. And if it is using IPv4 (PASV
) for data connections (what is likely does).
I'd not recommend switching to the active mode though, as that will likely cause you problems.
Rather fix your code the same way the ftplib fix works – by ignoring the IP returned by the server in the FTP.makepasv
.
See SmartFTP
implementation in my answer to:
Cannot list FTP directory using ftplib – but FTP client works
Having that said, I do not consider the vulnerability serious enough to even worry about – unless your code connects to random FTP servers.