CVE-2020-8284

Published: 09 December 2020

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Priority

Low

CVSS 3 base score: 3.7

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.74.0)
Ubuntu 21.04 (Hirsute Hippo) Pending
(7.74.0-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (7.68.0-1ubuntu4.2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (7.68.0-1ubuntu2.4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.58.0-2ubuntu3.12)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (7.47.0-1ubuntu2.18)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.35.0-1ubuntu2.20+esm6)
Patches:
Upstream: https://github.com/curl/curl/commit/ec9cc725d598ac