CVE-2020-8284 Information

Description

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port and this way potentially make curl extract information about services that are otherwise private and not disclosed for example doing port scanning and service banner extractions.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://hackerone.com/reports/1040166 https://curl.se/docs/CVE-2020-8284.html https://curl.se/docs/CVE-2020-8284.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/ https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html [debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/ https://security.gentoo.org/glsa/202012-14 https://security.netapp.com/advisory/ntap-20210122-0007/ https://www.debian.org/security/2021/dsa-4881 https://support.apple.com/kb/HT212325 https://support.apple.com/kb/HT212326 https://support.apple.com/kb/HT212327 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://www.oracle.com/security-alerts/cpuapr2022.html A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port and this way potentially make curl extract information about services that are otherwise private and not disclosed for example doing port scanning and service banner extractions. cpe:2.3:a:haxx:curl::::::::

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.7