CVE-2021-40491: 
NixOS vulnerability analysis and mitigation

CVE-2021-40491 affects the FTP client in GNU Inetutils versions before 2.2. The vulnerability stems from the client's failure to validate addresses returned by PASV/LSPV responses to ensure they match the server address. This security issue was discovered in 2021 and is similar to CVE-2020-8284 found in curl (NVD, GNU Bug Report).

The vulnerability is classified as CWE-345 (Insufficient Verification of Data Authenticity) with a CVSS v3.1 Base Score of 6.5 (Medium). The technical issue lies in the FTP client's trust of host addresses received in PASV responses without proper validation. This implementation flaw allows the client to accept and connect to any IP address provided in the server's response (NVD).

A malicious FTP server can exploit this vulnerability to trick the client into connecting to arbitrary IP addresses and ports. This could enable the attacker to make the FTP client scan ports and extract service banners from the client's private network, potentially exposing sensitive internal network information (GNU Bug Report).

The vulnerability was fixed in GNU Inetutils version 2.2 with a patch that implements address validation for PASV/LSPV responses. The fix ensures that returned addresses match the server's address before establishing connections. Users are advised to upgrade to Inetutils version 2.2 or later (Debian Advisory, GNU Patch).