LiveActive security incident?Get immediate response
CVE Record

CVE-2021-4189: A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passiv...

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Python FTP client flaw lets a malicious FTP server make a vulnerable client connect to an attacker-chosen IP address and port. In business terms, the risk is mainly unintended internal network probing from systems that run Python-based FTP automation, not direct server takeover.

Executive priority

Treat as a moderate hygiene and exposure-reduction item. It is most urgent where Python FTP clients run inside sensitive networks or automated data-transfer environments. Patch through normal vulnerability management unless internal scanning risk is strategically sensitive.

Technical view

Python ftplib trusted the host value returned in a PASV response by default. A malicious FTP server could influence the client’s subsequent data connection target, enabling client-side port scanning or limited network reachability disclosure. Upstream fixed behavior in Python 3.6.14, 3.7.11, 3.8.9, 3.9.3, and 3.10.0.

Likely exposure

Exposure is limited to applications or scripts using vulnerable Python ftplib FTP clients, especially when connecting to untrusted or third-party FTP servers in passive mode. Systems with vendor-backported Python fixes may be protected even if version strings look older.

Exploitation context

The source bundle does not show CISA KEV listing or active exploitation evidence. Abuse requires convincing or causing a vulnerable Python FTP client to connect to a malicious FTP server, which can then redirect the client’s data connection toward a selected address and port.

Researcher notes

Focus validation on ftplib client behavior and distro backports. The important implementation change is that PASV response host data should no longer be trusted by default. Avoid assuming broad exposure from Python presence alone; the risky condition is vulnerable FTP client usage.

Mitigation direction

  • Upgrade Python to a fixed upstream version or vendor-patched package.
  • Prioritize systems running automated Python FTP clients against external servers.
  • Restrict outbound egress from FTP automation hosts to required destinations and ports.
  • Review vendor advisories for backported fixes on supported Linux distributions.
  • Retire or replace FTP workflows where secure alternatives are practical.

Validation and detection

  • Inventory Python runtimes and packages used by FTP automation.
  • Search code for ftplib.FTP, ftplib.FTP_TLS, and passive FTP usage.
  • Confirm runtime versions meet fixed releases or vendor advisory status.
  • Check whether workloads connect to untrusted or third-party FTP servers.
  • Review network egress logs for unexpected FTP client connection targets.
Prepared
Confidence
high
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-252: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-4189 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
11Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N3.91.4Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2021-4189Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/apythonFixed in python 3.6.14, python 3.7.11, python 3.8.9, python 3.9.3, python 3.10.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-252 · source CWE mapping

CWE mapping pending import

This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.