Title: ftplib use host from PASV response
Type: security Stage:
Components: Library (Lib) Versions: Python 3.9
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: giampaolo.rodola, ricexdream
Priority: normal Keywords:

Created on 2021-02-21 11:49 by ricexdream, last changed 2021-02-21 15:36 by shihai1991.

Messages (1)
msg387455 - (view) Author: confd0 (ricexdream) Date: 2021-02-21 11:49
Last year, curl had a security update for CVE-2020-8284. more info, see

The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting
back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork.

After test and read ftplib module(, I found ftplib has the same problem.
Date User Action Args
2021-02-21 15:36:22shihai1991setnosy: + giampaolo.rodola
2021-02-21 11:49:34ricexdreamcreate