Security readout for executives and security teams
Plain-English summary
This Python FTP client flaw lets a malicious FTP server make a vulnerable client connect to an attacker-chosen IP address and port. In business terms, the risk is mainly unintended internal network probing from systems that run Python-based FTP automation, not direct server takeover.
Executive priority
Treat as a moderate hygiene and exposure-reduction item. It is most urgent where Python FTP clients run inside sensitive networks or automated data-transfer environments. Patch through normal vulnerability management unless internal scanning risk is strategically sensitive.
Technical view
Python ftplib trusted the host value returned in a PASV response by default. A malicious FTP server could influence the client’s subsequent data connection target, enabling client-side port scanning or limited network reachability disclosure. Upstream fixed behavior in Python 3.6.14, 3.7.11, 3.8.9, 3.9.3, and 3.10.0.
Likely exposure
Exposure is limited to applications or scripts using vulnerable Python ftplib FTP clients, especially when connecting to untrusted or third-party FTP servers in passive mode. Systems with vendor-backported Python fixes may be protected even if version strings look older.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. Abuse requires convincing or causing a vulnerable Python FTP client to connect to a malicious FTP server, which can then redirect the client’s data connection toward a selected address and port.
Researcher notes
Focus validation on ftplib client behavior and distro backports. The important implementation change is that PASV response host data should no longer be trusted by default. Avoid assuming broad exposure from Python presence alone; the risky condition is vulnerable FTP client usage.
Mitigation direction
- Upgrade Python to a fixed upstream version or vendor-patched package.
- Prioritize systems running automated Python FTP clients against external servers.
- Restrict outbound egress from FTP automation hosts to required destinations and ports.
- Review vendor advisories for backported fixes on supported Linux distributions.
- Retire or replace FTP workflows where secure alternatives are practical.
Validation and detection
- Inventory Python runtimes and packages used by FTP automation.
- Search code for ftplib.FTP, ftplib.FTP_TLS, and passive FTP usage.
- Confirm runtime versions meet fixed releases or vendor advisory status.
- Check whether workloads connect to untrusted or third-party FTP servers.
- Review network egress logs for unexpected FTP client connection targets.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-252: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2021-4189 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.3 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N3.91.4Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
5.3MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://bugs.python.org/issue43285CVE reference
- https://python-security.readthedocs.io/vuln/ftplib-pasv.htmlCVE reference
- https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188eCVE reference
- https://security-tracker.debian.org/tracker/CVE-2021-4189CVE reference
- https://bugzilla.redhat.com/show_bug.cgi?id=2036020CVE reference
- https://access.redhat.com/security/cve/CVE-2021-4189CVE reference
- https://security.netapp.com/advisory/ntap-20221104-0004/CVE reference
- [debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security updateCVE reference · mailing-list
- [debian-lts-announce] 20230630 [SECURITY] [DLA 3477-1] python3.7 security updateCVE reference · mailing-list
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.htmlCVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.
