CVE-2021-2341 - Vulnerability Details

CVE-2021-2341 - OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Oracle	Graalvm Jdk Jre Openjdk
Redhat	Enterprise Linux Openjdk Rhel Eus Rhel Extras

Configuration 1 [-]

OR	cpe:2.3:a:oracle:openjdk:7:-::::::
	cpe:2.3:a:oracle:openjdk:7:update1::::::
	cpe:2.3:a:oracle:openjdk:7:update10::::::
	cpe:2.3:a:oracle:openjdk:7:update101::::::
	cpe:2.3:a:oracle:openjdk:7:update11::::::
	cpe:2.3:a:oracle:openjdk:7:update111::::::
	cpe:2.3:a:oracle:openjdk:7:update121::::::
	cpe:2.3:a:oracle:openjdk:7:update13::::::
	cpe:2.3:a:oracle:openjdk:7:update131::::::
	cpe:2.3:a:oracle:openjdk:7:update141::::::
	cpe:2.3:a:oracle:openjdk:7:update15::::::
	cpe:2.3:a:oracle:openjdk:7:update151::::::
	cpe:2.3:a:oracle:openjdk:7:update161::::::
	cpe:2.3:a:oracle:openjdk:7:update17::::::
	cpe:2.3:a:oracle:openjdk:7:update171::::::
	cpe:2.3:a:oracle:openjdk:7:update181::::::
	cpe:2.3:a:oracle:openjdk:7:update191::::::
	cpe:2.3:a:oracle:openjdk:7:update2::::::
	cpe:2.3:a:oracle:openjdk:7:update201::::::
	cpe:2.3:a:oracle:openjdk:7:update21::::::
	cpe:2.3:a:oracle:openjdk:7:update211::::::
	cpe:2.3:a:oracle:openjdk:7:update221::::::
	cpe:2.3:a:oracle:openjdk:7:update231::::::
	cpe:2.3:a:oracle:openjdk:7:update241::::::
	cpe:2.3:a:oracle:openjdk:7:update25::::::
	cpe:2.3:a:oracle:openjdk:7:update251::::::
	cpe:2.3:a:oracle:openjdk:7:update261::::::
	cpe:2.3:a:oracle:openjdk:7:update271::::::
	cpe:2.3:a:oracle:openjdk:7:update281::::::
	cpe:2.3:a:oracle:openjdk:7:update291::::::
	cpe:2.3:a:oracle:openjdk:7:update3::::::
	cpe:2.3:a:oracle:openjdk:7:update301::::::
	cpe:2.3:a:oracle:openjdk:8:-::::::
	cpe:2.3:a:oracle:openjdk:8:milestone1::::::
	cpe:2.3:a:oracle:openjdk:8:milestone2::::::
	cpe:2.3:a:oracle:openjdk:8:milestone3::::::
	cpe:2.3:a:oracle:openjdk:8:milestone4::::::
	cpe:2.3:a:oracle:openjdk:8:milestone5::::::
	cpe:2.3:a:oracle:openjdk:8:milestone6::::::
	cpe:2.3:a:oracle:openjdk:8:milestone7::::::
	cpe:2.3:a:oracle:openjdk:8:milestone8::::::
	cpe:2.3:a:oracle:openjdk:8:milestone9::::::
	cpe:2.3:a:oracle:openjdk:8:update101::::::
	cpe:2.3:a:oracle:openjdk:8:update102::::::
	cpe:2.3:a:oracle:openjdk:8:update11::::::
	cpe:2.3:a:oracle:openjdk:8:update111::::::
	cpe:2.3:a:oracle:openjdk:8:update112::::::
	cpe:2.3:a:oracle:openjdk:8:update121::::::
	cpe:2.3:a:oracle:openjdk:8:update131::::::
	cpe:2.3:a:oracle:openjdk:8:update141::::::
	cpe:2.3:a:oracle:openjdk:8:update151::::::
	cpe:2.3:a:oracle:openjdk:8:update152::::::
	cpe:2.3:a:oracle:openjdk:8:update161::::::
	cpe:2.3:a:oracle:openjdk:8:update162::::::
	cpe:2.3:a:oracle:openjdk:8:update171::::::
	cpe:2.3:a:oracle:openjdk:8:update172::::::
	cpe:2.3:a:oracle:openjdk:8:update181::::::
	cpe:2.3:a:oracle:openjdk:8:update191::::::
	cpe:2.3:a:oracle:openjdk:8:update192::::::
	cpe:2.3:a:oracle:openjdk:8:update20::::::
	cpe:2.3:a:oracle:openjdk:8:update201::::::
	cpe:2.3:a:oracle:openjdk:8:update202::::::
	cpe:2.3:a:oracle:openjdk:8:update211::::::
	cpe:2.3:a:oracle:openjdk:8:update212::::::
cpe:2.3:a:oracle:openjdk:8:update221::::::
cpe:2.3:a:oracle:openjdk:8:update222::::::
cpe:2.3:a:oracle:openjdk:8:update231::::::
cpe:2.3:a:oracle:openjdk:8:update232::::::
cpe:2.3:a:oracle:openjdk:8:update241::::::
cpe:2.3:a:oracle:openjdk:8:update242::::::
cpe:2.3:a:oracle:openjdk:8:update25::::::
cpe:2.3:a:oracle:openjdk:8:update252::::::
cpe:2.3:a:oracle:openjdk:8:update262::::::
cpe:2.3:a:oracle:openjdk:8:update271::::::
cpe:2.3:a:oracle:openjdk:8:update281::::::
cpe:2.3:a:oracle:openjdk:8:update282::::::
cpe:2.3:a:oracle:openjdk:8:update291::::::
cpe:2.3:a:oracle:openjdk:8:update292::::::
cpe:2.3:a:oracle:openjdk:11:::::::*
cpe:2.3:a:oracle:openjdk:11.0.1:::::::*
cpe:2.3:a:oracle:openjdk:11.0.2:::::::*
cpe:2.3:a:oracle:openjdk:11.0.3:::::::*
cpe:2.3:a:oracle:openjdk:11.0.4:::::::*
cpe:2.3:a:oracle:openjdk:11.0.5:::::::*
cpe:2.3:a:oracle:openjdk:11.0.6:::::::*
cpe:2.3:a:oracle:openjdk:11.0.7:::::::*
cpe:2.3:a:oracle:openjdk:11.0.8:::::::*
cpe:2.3:a:oracle:openjdk:11.0.9:::::::*
cpe:2.3:a:oracle:openjdk:11.0.10:::::::*
cpe:2.3:a:oracle:openjdk:11.0.11:::::::*
cpe:2.3:a:oracle:openjdk:13:::::::*
cpe:2.3:a:oracle:openjdk:13.0.1:::::::*
cpe:2.3:a:oracle:openjdk:13.0.2:::::::*
cpe:2.3:a:oracle:openjdk:13.0.3:::::::*
cpe:2.3:a:oracle:openjdk:13.0.4:::::::*
cpe:2.3:a:oracle:openjdk:13.0.5:::::::*
cpe:2.3:a:oracle:openjdk:13.0.6:::::::*
cpe:2.3:a:oracle:openjdk:13.0.7:::::::*
cpe:2.3:a:oracle:openjdk:15:::::::*
cpe:2.3:a:oracle:openjdk:15.0.1:::::::*
cpe:2.3:a:oracle:openjdk:15.0.2:::::::*
cpe:2.3:a:oracle:openjdk:15.0.3:::::::*
cpe:2.3:a:oracle:openjdk:16:::::::*
cpe:2.3:a:oracle:openjdk:16.0.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.2::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.1.0::::enterprise:::
	cpe:2.3:a:oracle:jdk:1.7.0:update301::::::
	cpe:2.3:a:oracle:jdk:1.8.0:update291::::::
	cpe:2.3:a:oracle:jdk:11.0.11:::::::*
	cpe:2.3:a:oracle:jdk:16.0.1:::::::*
	cpe:2.3:a:oracle:jre:1.7.0:update301::::::
	cpe:2.3:a:oracle:jre:1.8.0:update291::::::
	cpe:2.3:a:oracle:jre:11.0.11:::::::*
	cpe:2.3:a:oracle:jre:16.0.1:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Package	CPE	Advisory	Released Date
Red Hat Build of OpenJDK
Linux	cpe:/a:redhat:openjdk:11.0.12	RHSA-2021:2780	2021-07-22T00:00:00Z
Windows	cpe:/a:redhat:openjdk:11.0.12::windows	RHSA-2021:2779	2021-07-22T00:00:00Z
Linux	cpe:/a:redhat:openjdk:1.8	RHSA-2021:2778	2021-07-22T00:00:00Z
Windows	cpe:/a:redhat:openjdk:1.8::windows	RHSA-2021:2777	2021-07-22T00:00:00Z
Red Hat Enterprise Linux 7
java-11-openjdk-1:11.0.12.0.7-0.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2021:2784	2021-07-21T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.302.b08-0.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2021:2845	2021-07-21T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary
java-1.8.0-ibm-1:1.8.0.6.35-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2021:3292	2021-08-30T00:00:00Z
java-1.7.1-ibm-1:1.7.1.4.90-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2021:3293	2021-08-30T00:00:00Z
Red Hat Enterprise Linux 8
java-1.8.0-openjdk-1:1.8.0.302.b08-0.el8_4	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:2776	2021-07-21T00:00:00Z
java-11-openjdk-1:11.0.12.0.7-0.el8_4	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:2781	2021-07-21T00:00:00Z
java-1.8.0-ibm-1:1.8.0.6.35-1.el8_4	cpe:/a:redhat:enterprise_linux:8::supplementary	RHSA-2021:4089	2021-11-02T00:00:00Z
Red Hat Enterprise Linux 8.1 Extended Update Support
java-1.8.0-openjdk-1:1.8.0.302.b08-0.el8_1	cpe:/a:redhat:rhel_eus:8.1	RHSA-2021:2775	2021-07-21T00:00:00Z
java-11-openjdk-1:11.0.12.0.7-0.el8_1	cpe:/a:redhat:rhel_eus:8.1	RHSA-2021:2783	2021-07-21T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
java-1.8.0-openjdk-1:1.8.0.302.b08-0.el8_2	cpe:/a:redhat:rhel_eus:8.2	RHSA-2021:2774	2021-07-21T00:00:00Z
java-11-openjdk-1:11.0.12.0.7-0.el8_2	cpe:/a:redhat:rhel_eus:8.2	RHSA-2021:2782	2021-07-21T00:00:00Z

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2021/08/msg00011.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A4TTUHVQF2MGUTP6GTCXLZS4GXK3XUWC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N57OFX5EJKHHDW4WAOBZFWA5CL4VIIK5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJJ75FHSUZGWPV4UJTSMQHWLOQ77LHTG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTRQIXB52KIXUAO6JBYUKYWXST2NKNAK/
https://nvd.nist.gov/vuln/detail/CVE-2021-2341
https://security.gentoo.org/glsa/202209-05
https://security.netapp.com/advisory/ntap-20210723-0002/
https://www.cve.org/CVERecord?id=CVE-2021-2341
https://www.debian.org/security/2021/dsa-4946
https://www.oracle.com/security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html

History

Tue, 27 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oracle jdk Oracle jre
CPEs		cpe:2.3:a:oracle:jdk:1.7.0:update301:::::: cpe:2.3:a:oracle:jdk:1.8.0:update291:::::: cpe:2.3:a:oracle:jdk:11.0.11:::::::* cpe:2.3:a:oracle:jdk:16.0.1:::::::* cpe:2.3:a:oracle:jre:1.7.0:update301:::::: cpe:2.3:a:oracle:jre:1.8.0:update291:::::: cpe:2.3:a:oracle:jre:11.0.11:::::::* cpe:2.3:a:oracle:jre:16.0.1:::::::* cpe:2.3:a:oracle:openjdk:11.0.10:::::::* cpe:2.3:a:oracle:openjdk:11.0.1:::::::* cpe:2.3:a:oracle:openjdk:11.0.2:::::::* cpe:2.3:a:oracle:openjdk:11.0.3:::::::* cpe:2.3:a:oracle:openjdk:11.0.4:::::::* cpe:2.3:a:oracle:openjdk:11.0.5:::::::* cpe:2.3:a:oracle:openjdk:11.0.6:::::::* cpe:2.3:a:oracle:openjdk:11.0.7:::::::* cpe:2.3:a:oracle:openjdk:11.0.8:::::::* cpe:2.3:a:oracle:openjdk:11.0.9:::::::* cpe:2.3:a:oracle:openjdk:11:::::::* cpe:2.3:a:oracle:openjdk:13.0.1:::::::* cpe:2.3:a:oracle:openjdk:13.0.2:::::::* cpe:2.3:a:oracle:openjdk:13.0.3:::::::* cpe:2.3:a:oracle:openjdk:13.0.4:::::::* cpe:2.3:a:oracle:openjdk:13.0.5:::::::* cpe:2.3:a:oracle:openjdk:13.0.6:::::::* cpe:2.3:a:oracle:openjdk:13.0.7:::::::* cpe:2.3:a:oracle:openjdk:13:::::::* cpe:2.3:a:oracle:openjdk:15.0.1:::::::* cpe:2.3:a:oracle:openjdk:15.0.2:::::::* cpe:2.3:a:oracle:openjdk:15.0.3:::::::* cpe:2.3:a:oracle:openjdk:15:::::::* cpe:2.3:a:oracle:openjdk:16:::::::* cpe:2.3:a:oracle:openjdk:7:-:::::: cpe:2.3:a:oracle:openjdk:7:update101:::::: cpe:2.3:a:oracle:openjdk:7:update10:::::: cpe:2.3:a:oracle:openjdk:7:update111:::::: cpe:2.3:a:oracle:openjdk:7:update11:::::: cpe:2.3:a:oracle:openjdk:7:update121:::::: cpe:2.3:a:oracle:openjdk:7:update131:::::: cpe:2.3:a:oracle:openjdk:7:update13:::::: cpe:2.3:a:oracle:openjdk:7:update141:::::: cpe:2.3:a:oracle:openjdk:7:update151:::::: cpe:2.3:a:oracle:openjdk:7:update15:::::: cpe:2.3:a:oracle:openjdk:7:update161:::::: cpe:2.3:a:oracle:openjdk:7:update171:::::: cpe:2.3:a:oracle:openjdk:7:update17:::::: cpe:2.3:a:oracle:openjdk:7:update181:::::: cpe:2.3:a:oracle:openjdk:7:update191:::::: cpe:2.3:a:oracle:openjdk:7:update1:::::: cpe:2.3:a:oracle:openjdk:7:update201:::::: cpe:2.3:a:oracle:openjdk:7:update211:::::: cpe:2.3:a:oracle:openjdk:7:update21:::::: cpe:2.3:a:oracle:openjdk:7:update221:::::: cpe:2.3:a:oracle:openjdk:7:update231:::::: cpe:2.3:a:oracle:openjdk:7:update241:::::: cpe:2.3:a:oracle:openjdk:7:update251:::::: cpe:2.3:a:oracle:openjdk:7:update25:::::: cpe:2.3:a:oracle:openjdk:7:update261:::::: cpe:2.3:a:oracle:openjdk:7:update271:::::: cpe:2.3:a:oracle:openjdk:7:update281:::::: cpe:2.3:a:oracle:openjdk:7:update291:::::: cpe:2.3:a:oracle:openjdk:7:update2:::::: cpe:2.3:a:oracle:openjdk:7:update3:::::: cpe:2.3:a:oracle:openjdk:8:-:::::: cpe:2.3:a:oracle:openjdk:8:milestone1:::::: cpe:2.3:a:oracle:openjdk:8:milestone2:::::: cpe:2.3:a:oracle:openjdk:8:milestone3:::::: cpe:2.3:a:oracle:openjdk:8:milestone4:::::: cpe:2.3:a:oracle:openjdk:8:milestone5:::::: cpe:2.3:a:oracle:openjdk:8:milestone6:::::: cpe:2.3:a:oracle:openjdk:8:milestone7:::::: cpe:2.3:a:oracle:openjdk:8:milestone8:::::: cpe:2.3:a:oracle:openjdk:8:milestone9:::::: cpe:2.3:a:oracle:openjdk:8:update101:::::: cpe:2.3:a:oracle:openjdk:8:update102:::::: cpe:2.3:a:oracle:openjdk:8:update111:::::: cpe:2.3:a:oracle:openjdk:8:update112:::::: cpe:2.3:a:oracle:openjdk:8:update11:::::: cpe:2.3:a:oracle:openjdk:8:update121:::::: cpe:2.3:a:oracle:openjdk:8:update131:::::: cpe:2.3:a:oracle:openjdk:8:update141:::::: cpe:2.3:a:oracle:openjdk:8:update151:::::: cpe:2.3:a:oracle:openjdk:8:update152:::::: cpe:2.3:a:oracle:openjdk:8:update161:::::: cpe:2.3:a:oracle:openjdk:8:update162:::::: cpe:2.3:a:oracle:openjdk:8:update171:::::: cpe:2.3:a:oracle:openjdk:8:update172:::::: cpe:2.3:a:oracle:openjdk:8:update181:::::: cpe:2.3:a:oracle:openjdk:8:update191:::::: cpe:2.3:a:oracle:openjdk:8:update192:::::: cpe:2.3:a:oracle:openjdk:8:update201:::::: cpe:2.3:a:oracle:openjdk:8:update202:::::: cpe:2.3:a:oracle:openjdk:8:update20:::::: cpe:2.3:a:oracle:openjdk:8:update211:::::: cpe:2.3:a:oracle:openjdk:8:update212:::::: cpe:2.3:a:oracle:openjdk:8:update221:::::: cpe:2.3:a:oracle:openjdk:8:update222:::::: cpe:2.3:a:oracle:openjdk:8:update231:::::: cpe:2.3:a:oracle:openjdk:8:update232:::::: cpe:2.3:a:oracle:openjdk:8:update241:::::: cpe:2.3:a:oracle:openjdk:8:update242:::::: cpe:2.3:a:oracle:openjdk:8:update252:::::: cpe:2.3:a:oracle:openjdk:8:update25:::::: cpe:2.3:a:oracle:openjdk:8:update262:::::: cpe:2.3:a:oracle:openjdk:8:update271:::::: cpe:2.3:a:oracle:openjdk:8:update281:::::: cpe:2.3:a:oracle:openjdk:8:update282:::::: cpe:2.3:a:oracle:openjdk:8:update292::::::
Vendors & Products		Oracle jdk Oracle jre

Thu, 26 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2021-07-20T22:43:20

Updated: 2024-09-26T14:04:53.949Z

Reserved: 2020-12-09T00:00:00

Link: CVE-2021-2341

Vulnrichment

Updated: 2024-08-03T16:38:57.562Z

NVD

Status : Analyzed

Published: 2021-07-21T15:15:17.927

Modified: 2025-05-27T16:47:32.957

Link: CVE-2021-2341

Redhat

Severity : Moderate

Publid Date: 2021-07-20T00:00:00Z

Links: CVE-2021-2341 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object