Related Vulnerabilities: CVE-2021-31810  

A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

Severity Medium

Remote Yes

Type Information disclosure

Description

A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).

AVG-2141 logstash 7.10.1-1 High Vulnerable

AVG-2140 ruby2.6 2.6.7-1 High Vulnerable

AVG-2139 ruby2.7 2.7.3-1 High Vulnerable

AVG-2138 ruby 3.0.1-1 High Vulnerable

AVG-1906 jruby 9.2.19.0-1 High Vulnerable

https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://hackerone.com/reports/1145454
https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a