CVE-2020-8284

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

CVSS v3 3.7 LOW
CVSS v2.0 4.3 MEDIUM

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	Patch Third Party Advisory
https://curl.se/docs/CVE-2020-8284.html	Vendor Advisory
https://hackerone.com/reports/1040166	Permissions Required
https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202012-14	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/	Third Party Advisory
https://support.apple.com/kb/HT212325	Third Party Advisory
https://support.apple.com/kb/HT212326	Third Party Advisory
https://support.apple.com/kb/HT212327	Third Party Advisory
https://www.debian.org/security/2021/dsa-4881	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*
	cpe:2.3:h:netapp:hci_storage_node:-:::::::*

Configuration 5 (hide)

AND

cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 6 (hide)

OR	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-001::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-002::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-004::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-005::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-006::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-007::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-001::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-002::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-003::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-004::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-005::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-006::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-007::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-001::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-002::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update_2::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:-::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:supplemental_update::::::
	cpe:2.3:o:apple:macos:11.0.1:::::::*
	cpe:2.3:o:apple:macos:11.1:::::::*
	cpe:2.3:o:apple:macos:11.2:::::::*

Configuration 7 (hide)

OR	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:essbase:21.2:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*

Configuration 8 (hide)

AND

cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*

Configuration 20 (hide)

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Configuration 21 (hide)

OR	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

History

27 Mar 2024, 15:50

Type	Values Removed	Values Added
First Time		Splunk Splunk universal Forwarder
CPE		cpe:2.3:a:splunk:universal_forwarder:::::::: cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/ - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/ - Mailing List, Third Party Advisory

07 Nov 2023, 03:26

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/', 'name': 'FEDORA-2020-7ab62c73bc', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/', 'name': 'FEDORA-2020-ceaf490686', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/ -

13 May 2022, 20:57

Type	Values Removed	Values Added
First Time		Oracle communications Cloud Native Core Policy Siemens sinec Infrastructure Network Services Siemens
CPE		cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::* cpe:2.3:a:siemens:sinec_infrastructure_network_services::::::::
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Third Party Advisory~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Patch, Third Party Advisory

20 Apr 2022, 00:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

04 Apr 2022, 14:26

Type	Values Removed	Values Added
First Time		Fujitsu m12-2s Firmware Fujitsu m10-4 Fujitsu m10-1 Firmware Fujitsu m12-2 Firmware Fujitsu Fujitsu m10-1 Fujitsu m12-1 Fujitsu m10-4s Fujitsu m10-4 Firmware Fujitsu m12-2 Fujitsu m10-4s Firmware Fujitsu m12-1 Firmware Fujitsu m12-2s
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf - Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:o:fujitsu:m10-4s_firmware:::::::: cpe:2.3:h:fujitsu:m10-4s:-:::::::* cpe:2.3:h:fujitsu:m12-2s:-:::::::* cpe:2.3:h:fujitsu:m12-2:-:::::::* cpe:2.3:h:fujitsu:m10-4:-:::::::* cpe:2.3:o:fujitsu:m10-4_firmware:::::::: cpe:2.3:o:fujitsu:m12-2s_firmware:::::::: cpe:2.3:h:fujitsu:m10-1:-:::::::* cpe:2.3:o:fujitsu:m12-2_firmware:::::::: cpe:2.3:o:fujitsu:m12-1_firmware:::::::: cpe:2.3:o:fujitsu:m10-1_firmware:::::::: cpe:2.3:h:fujitsu:m12-1:-:::::::*

10 Mar 2022, 17:41

Type	Values Removed	Values Added
References		(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf -

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

23 Sep 2021, 13:56

Type	Values Removed	Values Added
CPE		cpe:2.3:o:netapp:hci_bootstrap_os:-:::::::* cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005:::::: cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::* cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-003:::::: cpe:2.3:o:apple:mac_os_x:10.15.7:-:::::: cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:::::: cpe:2.3:o:apple:macos:11.0.1:::::::* cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-005:::::: cpe:2.3:o:apple:macos:11.1:::::::* cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-007:::::: cpe:2.3:a:netapp:clustered_data_ontap:-:::::::* cpe:2.3:a:netapp:solidfire:-:::::::* cpe:2.3:a:oracle:essbase:21.2:::::::* cpe:2.3:o:apple:mac_os_x:10.15.7:supplemental_update:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update:::::: cpe:2.3:h:netapp:hci_compute_node:-:::::::* cpe:2.3:o:apple:macos:11.2:::::::* cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-004:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-001:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-002:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-005:::::: cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-002:::::: cpe:2.3:h:netapp:hci_storage_node:-:::::::* cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-001:::::: cpe:2.3:o:apple:mac_os_x:::::::: cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::* cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-002:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-006:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update_2:::::: cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-001:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-006:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-007:::::: cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-004:::::: cpe:2.3:a:netapp:hci_management_node:-:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::*
References	~~(CONFIRM) https://support.apple.com/kb/HT212325 -~~	(CONFIRM) https://support.apple.com/kb/HT212325 - Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-4881 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-4881 - Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References	~~(CONFIRM) https://support.apple.com/kb/HT212326 -~~	(CONFIRM) https://support.apple.com/kb/HT212326 - Third Party Advisory
References	~~(CONFIRM) https://support.apple.com/kb/HT212327 -~~	(CONFIRM) https://support.apple.com/kb/HT212327 - Third Party Advisory
References	~~(GENTOO) https://security.gentoo.org/glsa/202012-14 -~~	(GENTOO) https://security.gentoo.org/glsa/202012-14 - Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210122-0007/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210122-0007/ - Third Party Advisory
CWE	~~CWE-200~~	NVD-CWE-noinfo

22 Sep 2021, 14:22

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

14 Jun 2021, 18:15

Type	Values Removed	Values Added
References		(CONFIRM) https://support.apple.com/kb/HT212325 - (CONFIRM) https://support.apple.com/kb/HT212326 - (CONFIRM) https://support.apple.com/kb/HT212327 - (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

01 Apr 2021, 00:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2021/dsa-4881 -

26 Jan 2021, 18:16

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210122-0007/ -

Information

Published : 2020-12-14 20:15

Updated : 2024-04-08 22:50

NVD link : CVE-2020-8284

Mitre link : CVE-2020-8284

CVE.ORG link : CVE-2020-8284

JSON object : View

Products Affected

apple

macos
mac_os_x

fujitsu

m12-1
m10-1
m12-1_firmware
m10-4_firmware
m10-4s_firmware
m12-2s
m12-2s_firmware
m12-2_firmware
m12-2
m10-4
m10-4s
m10-1_firmware

netapp

hci_storage_node
hci_management_node
solidfire
hci_compute_node
hci_bootstrap_os
clustered_data_ontap

oracle

essbase
communications_cloud_native_core_policy
communications_billing_and_revenue_management
peoplesoft_enterprise_peopletools

siemens

sinec_infrastructure_network_services

haxx

curl

fedoraproject

fedora

splunk

universal_forwarder

debian

debian_linux

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-8284

3.7^/10

4.3^/10

Attach tags to `CVE-2020-8284`