9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-36159

CVE-2021-36159: libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric...

libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-36159

CVE-2021-36159:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description pinpoints an out-of-bounds read in the FTP passive mode implementation due to mishandling of numeric strings with strtol. The provided GitLab issue #10749 contains a diff for ftp.c that shows the exact code change to fix this. The change is within a loop responsible for parsing the address and port from the FTP server's passive mode response. The surrounding code in the diff, and the logic itself, clearly indicate this is part of a function handling FTP passive mode, identified as fetch_ftp_passive_mode. The patch adds a check for premature null termination after strtol has potentially advanced the pointer, thus preventing the out-of-bounds read. Other patched functions in fetch.c and http.c address similar numeric parsing issues but are not the direct cause of the described FTP passive mode vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-36159: libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric...

CVE-2021-36159:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2021-36159: libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric...

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.1

9.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI