CVE Vulnerabilities

CVE-2020-8284

Published: Dec 14, 2020 | Modified: Apr 08, 2024
CVSS 3.x
3.7
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
3.1 MODERATE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Ubuntu
LOW

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Affected Software

Name Vendor Start Version End Version
Curl Haxx * 7.73.0 (including)
Curl Ubuntu bionic *
Curl Ubuntu devel *
Curl Ubuntu focal *
Curl Ubuntu groovy *
Curl Ubuntu trusty *
Curl Ubuntu trusty/esm *
Curl Ubuntu upstream *
Curl Ubuntu xenial *
JBoss Core Services Apache HTTP Server 2.4.37 SP8 RedHat curl *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-0:1-18.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-apr-0:1.6.3-105.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-curl-0:7.77.0-2.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-jansson-0:2.11-55.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-0:1-18.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-jansson-0:2.11-55.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7 *
Red Hat Enterprise Linux 8 RedHat curl-0:7.61.1-18.el8 *

References