What is CVE-2021-36159?

CVE-2021-36159 is a vulnerability that affects libfetch, a library used in apk-tools, xbps, and other products. It mishandles numeric strings for the FTP and HTTP protocols, leading to an out-of-bounds read.

What software products are affected by CVE-2021-36159?

CVE-2021-36159 affects apk-tools, xbps, and other products that use libfetch before version 2021-07-26.

What is the severity of CVE-2021-36159?

CVE-2021-36159 has a severity rating of 9.1 (Critical).

How does CVE-2021-36159 exploit the FTP passive mode implementation?

CVE-2021-36159 exploits the FTP passive mode implementation by using strtol to parse numeric strings into address bytes, which can lead to an out-of-bounds read.

Where can I find more information about CVE-2021-36159?

You can find more information about CVE-2021-36159 on the following references: [GitHub](https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch), [GitLab](https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749), and [Apache Mailing List](https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E).

Vulnerability/
CVE-2021-36159

critical

9.1

CWE

125

3/8/2021

4/8/2024

CVE-2021-36159

First published: Tue Aug 03 2021(Updated: )

libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\0' terminator one byte too late.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Freebsd Libfetch	<2021-07-26

Remedy

https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-36159?
CVE-2021-36159 is a vulnerability that affects libfetch, a library used in apk-tools, xbps, and other products. It mishandles numeric strings for the FTP and HTTP protocols, leading to an out-of-bounds read.
What software products are affected by CVE-2021-36159?
CVE-2021-36159 affects apk-tools, xbps, and other products that use libfetch before version 2021-07-26.
What is the severity of CVE-2021-36159?
CVE-2021-36159 has a severity rating of 9.1 (Critical).
How does CVE-2021-36159 exploit the FTP passive mode implementation?
CVE-2021-36159 exploits the FTP passive mode implementation by using strtol to parse numeric strings into address bytes, which can lead to an out-of-bounds read.
Where can I find more information about CVE-2021-36159?
You can find more information about CVE-2021-36159 on the following references: [GitHub](https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch), [GitLab](https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749), and [Apache Mailing List](https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E).

collector/nvd-index
agent/weakness
agent/severity
agent/references
agent/author
agent/type
agent/description
agent/event
agent/softwarecombine
agent/first-publish-date
agent/last-modified-date
agent/remedy
agent/tags
collector/mitre-cve
source/MITRE
vendor/freebsd
canonical/freebsd libfetch