rubysec · jasnow · Feb 4, 2026
diff --git a/rubies/jruby/CVE-2021-31810.yml b/rubies/jruby/CVE-2021-31810.yml
@@ -0,0 +1,28 @@
+---
+engine: jruby
+cve: 2021-31810
+ghsa: wr95-679j-87v9
+url: https://nvd.nist.gov/vuln/detail/CVE-2021-31810
+title: Trusting FTP PASV responses vulnerability in Net::FTP
+date: 2021-07-13
+description: |
+  A malicious FTP server can use the PASV response to trick Net::FTP
+  into connecting back to a given IP address and port. This potentially
+  makes curl extract information about services that are otherwise
+  private and not disclosed (e.g., the attacker can conduct port
+  scans and service banner extractions).
+cvss_v2: 5.0
+cvss_v3: 5.8
+patched_versions:
+  - ">= 9.3.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-31810
+    - https://github.com/jruby/jruby/wiki/JRuby-9.3.0.0-Release-Notes
+    - https://github.com/jruby/jruby/issues/6825
+    - https://github.com/jruby/jruby/pull/6802
+    - https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a
+    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014818
+    - https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
+    - https://hackerone.com/reports/1145454
+    - https://github.com/advisories/GHSA-wr95-679j-87v9
diff --git a/rubies/ruby/CVE-2021-31810.yml b/rubies/ruby/CVE-2021-31810.yml
@@ -0,0 +1,36 @@
+---
+engine: ruby
+cve: 2021-31810
+ghsa: wr95-679j-87v9
+url: https://nvd.nist.gov/vuln/detail/CVE-2021-31810
+title: Trusting FTP PASV responses vulnerability in Net::FTP
+date: 2021-07-13
+description: |
+  An issue was discovered in Ruby through
+  2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.
+  A malicious FTP server can use the PASV response to trick Net::FTP
+  into connecting back to a given IP address and port. This potentially
+  makes curl extract information about services that are otherwise
+  private and not disclosed (e.g., the attacker can conduct port
+  scans and service banner extractions).
+cvss_v2: 5.0
+cvss_v3: 5.8
+patched_versions:
+  - "~> 2.6.8"
+  - "~> 2.7.4"
+  - ">= 3.0.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-31810
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released
+    - https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp
+    - https://hackerone.com/reports/1145454
+    - https://security.gentoo.org/glsa/202401-27
+    - https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
+    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL
+    - https://www.oracle.com/security-alerts/cpuapr2022.html
+    - https://security.netapp.com/advisory/ntap-20210917-0001/
+    - https://github.com/advisories/GHSA-wr95-679j-87v9