CVE-2026-8328

Public on 2026-05-13
Modified on 2026-05-15
Description
The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.4
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core python Pending Fix
Amazon Linux 2 - Core python3 Pending Fix
Amazon Linux 2023 python3.11 2026-07-07 ALAS2023-2026-1930 Fixed
Amazon Linux 2023 python3.12 2026-07-07 ALAS2023-2026-1931 Fixed
Amazon Linux 2023 python3.13 2026-07-07 ALAS2023-2026-1910 Fixed
Amazon Linux 2023 python3.14 2026-07-07 ALAS2023-2026-1929 Fixed
Amazon Linux 2023 python3.9 2026-07-07 ALAS2023-2026-1933 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N