Detections
Analytics

CVE-2020-8284

low

Description

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

References

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.debian.org/security/2021/dsa-4881

https://support.apple.com/kb/HT212327

https://support.apple.com/kb/HT212326

https://support.apple.com/kb/HT212325

https://security.netapp.com/advisory/ntap-20210122-0007/

https://security.gentoo.org/glsa/202012-14

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/

https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html

https://hackerone.com/reports/1040166

https://curl.se/docs/CVE-2020-8284.html

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Details

Source: Mitre, NVD

Published: 2020-12-14

Updated: 2024-04-08

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Low