CVE-2020-8284
Summary
| CVE | CVE-2020-8284 |
|---|---|
| State | PUBLISHED |
| Assigner | hackerone |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-12-14 20:15:13 UTC |
| Updated | 2026-04-16 15:16:42 UTC |
| Description | A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. |
Risk And Classification
Primary CVSS: v3.1 3.7 LOW from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Problem Types: CWE-200 | NVD-CWE-noinfo | CWE-200 Information Disclosure (CWE-200)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | ADP | DECLARED | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
NoneAvailability
NoneAV:N/AC:M/Au:N/C:P/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Apple | Mac Os X | All | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Application | Haxx | Curl | All | All | All | All |
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
| Operating System | Netapp | Hci Bootstrap Os | - | All | All | All |
| Hardware | Netapp | Hci Compute Node | - | All | All | All |
| Application | Netapp | Hci Management Node | - | All | All | All |
| Hardware | Netapp | Hci Storage Node | - | All | All | All |
| Application | Netapp | Solidfire | - | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Na | Https//github.com/curl/curl | affected 7.73.0 and earlier | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| curl - trusting FTP PASV responses - CVE-2020-8284 | af854a3a-2127-422b-91ae-364da2661108 | curl.se | Vendor Advisory |
| December 2020 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2022 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| [SECURITY] Fedora 33 Update: curl-7.71.1-8.fc33 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| [SECURITY] [DLA 2500-1] curl security update | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| cURL: Multiple vulnerabilities (GLSA 202012-14) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| About the security content of Security Update 2021-002 Catalina - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - January 2022 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| About the security content of macOS Big Sur 11.3 - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Third Party Advisory |
| HackerOne | af854a3a-2127-422b-91ae-364da2661108 | hackerone.com | Permissions Required |
| About the security content of Security Update 2021-003 Mojave - Apple Support | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Third Party Advisory |
| [SECURITY] Fedora 32 Update: curl-7.69.1-7.fc32 - package-announce - Fedora Mailing-Lists | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-4881-1 curl | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | af854a3a-2127-422b-91ae-364da2661108 | cert-portal.siemens.com | Patch, Third Party Advisory |
| [SECURITY] Fedora 32 Update: curl-7.69.1-7.fc32 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| [SECURITY] Fedora 33 Update: curl-7.71.1-8.fc33 - package-announce - Fedora Mailing-Lists | MITRE | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159196 Oracle Enterprise Linux Security Update for curl (ELSA-2021-1610)
- 178522 Debian Security Update for curl (DSA 4881-1)
- 181247 Debian Security Update for inetutils (DLA 3205-1)
- 239328 Red Hat Update for curl (RHSA-2021:1610)
- 239451 Red Hat Update for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)
- 296067 Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)
- 352506 Amazon Linux Security Advisory for curl: ALAS2-2021-1693
- 376053 F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), Application Security Manager (ASM) cURL Vulnerability (K63525058)
- 376969 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Vulnerability (NTAP-20210122-0007)
- 377396 Alibaba Cloud Linux Security Update for curl (ALINUX3-SA-2021:0078)
- 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
- 378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
- 44183 Juniper Network Operating System (Junos OS) Multiple Security Vulnerabilites (JSA79108)
- 500133 Alpine Linux Security Update for curl
- 501396 Alpine Linux Security Update for curl
- 503888 Alpine Linux Security Update for curl
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 670356 EulerOS Security Update for curl (EulerOS-SA-2021-1868)
- 670383 EulerOS Security Update for curl (EulerOS-SA-2021-1942)
- 670404 EulerOS Security Update for curl (EulerOS-SA-2021-1921)
- 671343 EulerOS Security Update for curl (EulerOS-SA-2022-1265)
- 671718 EulerOS Security Update for curl (EulerOS-SA-2022-1711)
- 690348 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (3c77f139-3a09-11eb-929d-d4c9ef517024)
- 750055 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2021:1786-1)
- 750490 OpenSUSE Security Update for curl (openSUSE-SU-2020:2249-1)
- 750492 OpenSUSE Security Update for curl (openSUSE-SU-2020:2238-1)
- 900155 CBL-Mariner Linux Security Update for curl 7.68.0
- 903483 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (3675)
- 940000 AlmaLinux Security Update for curl (ALSA-2021:1610)
- 960740 Rocky Linux Security Update for curl (RLSA-2021:1610)