CVE-2021-37533: 
Java vulnerability analysis and mitigation

CVE-2021-37533 affects Apache Commons Net's FTP client prior to version 3.9.0. The vulnerability was discovered by ZeddYu Lu and disclosed in December 2022. The issue exists in the FTP client's default behavior of trusting the host from PASV response. This vulnerability affects all versions of Apache Commons Net before 3.9.0, as well as various systems that implement this library, including Debian systems (Debian Advisory).

The vulnerability stems from the FTP client's default configuration where it trusts the host information received in the PASV response. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating that it requires user interaction but can be exploited remotely without authentication (NVD).

When exploited, this vulnerability could lead to information leakage about services running on the private network of the client. The attack requires the user to initially connect to a malicious server, which can then redirect the Commons Net code to use a different host (OSS Security).

The vulnerability has been fixed in Apache Commons Net version 3.9.0, where the default behavior has been changed to ignore hosts from PASV responses, similar to cURL's approach. Users are recommended to upgrade to version 3.9.0 or later. For Debian systems, security updates have been released (version 3.6-1+deb10u1 for Debian 10 and version 3.6-1+deb11u1 for Debian 11) (Debian Advisory).