CVE-2020-8284

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 14-12-2020 09:15

Last modified: - 13-05-2022 10:57

Total changes: - 13

Description

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

High

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

3.7

Base score

2.2

1.4

Exploitability score

Impact score

Verification logic

vendor=haxx AND product=curl AND versionEndIncluding=7.73.0

vendor=fedoraproject AND product=fedora AND version=32

vendor=fedoraproject AND product=fedora AND version=33

vendor=Debian AND product=debian_linux AND version=9.0

vendor=Debian AND product=debian_linux AND version=10.0

vendor=netapp AND product=clustered_data_ontap AND version=-

vendor=netapp AND product=solidfire AND version=-

vendor=netapp AND product=hci_management_node AND version=-

vendor=netapp AND product=hci_storage_node AND version=-

AND

vendor=netapp AND product=hci_bootstrap_os AND version=-

vendor=netapp AND product=hci_compute_node AND version=-

vendor=apple AND product=mac_os_x AND versionStartIncluding=10.15 AND versionEndExcluding=10.15.7

vendor=apple AND product=mac_os_x AND versionStartIncluding=10.14.0 AND versionEndExcluding=10.14.6

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-001

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-002

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-003

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-004

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-005

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-006

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2019-007

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2019-004

vendor=apple AND product=macos AND version=11.0.1

vendor=apple AND product=macos AND version=11.1

vendor=apple AND product=macos AND version=11.2

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2019-001

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2019-002

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2019-005

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2019-006

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2020-007

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2021-001

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=security_update_2021-002

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=supplemental_update

vendor=apple AND product=mac_os_x AND version=10.14.6 AND update=supplemental_update_2

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=-

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=security_update_2020

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=security_update_2020-001

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=security_update_2020-005

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=security_update_2020-007

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=security_update_2021-001

vendor=apple AND product=mac_os_x AND version=10.15.7 AND update=supplemental_update

vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.58

vendor=oracle AND product=communications_billing_and_revenue_management AND version=12.0.0.3.0

vendor=oracle AND product=essbase AND version=21.2

vendor=oracle AND product=communications_cloud_native_core_policy AND version=1.14.0

AND

vendor=fujitsu AND product=m10-1_firmware AND versionEndExcluding=xcp2410

vendor=fujitsu AND product=m10-1 AND version=-

AND

vendor=fujitsu AND product=m10-4_firmware AND versionEndExcluding=xcp2410

vendor=fujitsu AND product=m10-4 AND version=-

AND

vendor=fujitsu AND product=m10-4s_firmware AND versionEndExcluding=xcp2410

vendor=fujitsu AND product=m10-4s AND version=-

AND

vendor=fujitsu AND product=m12-1_firmware AND versionEndExcluding=xcp2410

vendor=fujitsu AND product=m12-1 AND version=-

AND

vendor=fujitsu AND product=m12-2_firmware AND versionEndExcluding=xcp2410

vendor=fujitsu AND product=m12-2 AND version=-

AND

vendor=fujitsu AND product=m12-2s_firmware AND versionEndExcluding=xcp2410

vendor=fujitsu AND product=m12-2s AND version=-

AND

vendor=fujitsu AND product=m10-1_firmware AND versionEndExcluding=xcp3110

vendor=fujitsu AND product=m10-1 AND version=-

AND

vendor=fujitsu AND product=m10-4_firmware AND versionEndExcluding=xcp3110

vendor=fujitsu AND product=m10-4 AND version=-

AND

vendor=fujitsu AND product=m10-4s_firmware AND versionEndExcluding=xcp3110

vendor=fujitsu AND product=m10-4s AND version=-

AND

vendor=fujitsu AND product=m12-1_firmware AND versionEndExcluding=xcp3110

vendor=fujitsu AND product=m12-1 AND version=-

AND

vendor=fujitsu AND product=m12-2_firmware AND versionEndExcluding=xcp3110

vendor=fujitsu AND product=m12-2 AND version=-

AND

vendor=fujitsu AND product=m12-2s_firmware AND versionEndExcluding=xcp3110

vendor=fujitsu AND product=m12-2s AND version=-

vendor=siemens AND product=sinec_infrastructure_network_services AND versionEndExcluding=1.0.1.1

Reference

https://hackerone.com/reports/1040166
https://curl.se/docs/CVE-2020-8284.html
FEDORA-2020-ceaf490686-Third Party Advisory
[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update-Mailing List, Third Party Advisory
FEDORA-2020-7ab62c73bc-Third Party Advisory
GLSA-202012-14-Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/
DSA-4881-Third Party Advisory
https://support.apple.com/kb/HT212325
https://support.apple.com/kb/HT212326
https://support.apple.com/kb/HT212327
https://www.oracle.com/security-alerts/cpuApr2021.html
N/A-Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2020-8284

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-8284

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures