CVE-2020-8284 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2020-8284?

CVE-2020-8284 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8284?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Debian Debian Linux, Netapp Clustered Data Ontap, Netapp Hci Management Node.

Vulnerability Description

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	<= 7.73.0
Fedoraproject	Fedora	32
Debian	Debian Linux	9.0
Netapp	Clustered Data Ontap	-
Netapp	Hci Management Node	-
Netapp	Solidfire	-
Netapp	Hci Storage Node	-
Netapp	Hci Bootstrap Os	-
Netapp	Hci Compute Node	-
Apple	Mac Os X	>= 10.14.0, < 10.14.6
Apple	Macos	11.0.1
Oracle	Communications Billing And Revenue Management	12.0.0.3.0
Oracle	Communications Cloud Native Core Policy	1.14.0
Oracle	Essbase	21.2
Oracle	Peoplesoft Enterprise Peopletools	8.58
Fujitsu	M10-1 Firmware	< xcp2410
Fujitsu	M10-1	-
Fujitsu	M10-4 Firmware	< xcp2410
Fujitsu	M10-4	-
Fujitsu	M10-4S Firmware	< xcp2410

Related Weaknesses (CWE)

CWE-200

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://curl.se/docs/CVE-2020-8284.htmlVendor Advisory
https://hackerone.com/reports/1040166Permissions Required
https://lists.debian.org/debian-lts-announce/2020/12/msg00029.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202012-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/Third Party Advisory
https://support.apple.com/kb/HT212325Third Party Advisory
https://support.apple.com/kb/HT212326Third Party Advisory
https://support.apple.com/kb/HT212327Third Party Advisory
https://www.debian.org/security/2021/dsa-4881Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-8284?

CVE-2020-8284 is a vulnerability with a CVSS score of 3.7 (LOW). A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about serv...

How severe is CVE-2020-8284?

CVE-2020-8284 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8284?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Debian Debian Linux, Netapp Clustered Data Ontap, Netapp Hci Management Node.