CVE-2020-8284
moderate-risk
Published 2020-12-14
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Do I need to act?
-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10
Low
NETWORK
/ HIGH complexity
Affected Products (20)
References (32)
Vendor Advisory
https://curl.se/docs/CVE-2020-8284.html
Permissions Required
https://hackerone.com/reports/1040166
Third Party Advisory
https://security.gentoo.org/glsa/202012-14
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/
Third Party Advisory
https://support.apple.com/kb/HT212325
Third Party Advisory
https://support.apple.com/kb/HT212326
Third Party Advisory
https://support.apple.com/kb/HT212327
Third Party Advisory
https://www.debian.org/security/2021/dsa-4881
Vendor Advisory
https://curl.se/docs/CVE-2020-8284.html
Permissions Required
https://hackerone.com/reports/1040166
and 12 more references
39
/ 100
moderate-risk
Severity
13/34 · Low
Exploitability
0/34 · Minimal
Exposure
26/34 · High