{"containers": {"cna": {"affected": [{"product": "https://github.com/curl/curl", "vendor": "n/a", "versions": [{"status": "affected", "version": "7.73.0 and earlier"}]}], "descriptions": [{"lang": "en", "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Information Disclosure (CWE-200)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:23:26.000Z", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1040166"}, {"tags": ["x_refsource_MISC"], "url": "https://curl.se/docs/CVE-2020-8284.html"}, {"name": "FEDORA-2020-ceaf490686", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"}, {"name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"}, {"name": "FEDORA-2020-7ab62c73bc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"}, {"name": "GLSA-202012-14", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202012-14"}, {"name": "DSA-4881", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4881"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT212325"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT212326"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT212327"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8284", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/curl/curl", "version": {"version_data": [{"version_value": "7.73.0 and earlier"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure (CWE-200)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1040166", "refsource": "MISC", "url": "https://hackerone.com/reports/1040166"}, {"name": "https://curl.se/docs/CVE-2020-8284.html", "refsource": "MISC", "url": "https://curl.se/docs/CVE-2020-8284.html"}, {"name": "FEDORA-2020-ceaf490686", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"}, {"name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"}, {"name": "FEDORA-2020-7ab62c73bc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"}, {"name": "GLSA-202012-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202012-14"}, {"name": "DSA-4881", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4881"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210122-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"}, {"name": "https://support.apple.com/kb/HT212325", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT212325"}, {"name": "https://support.apple.com/kb/HT212326", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT212326"}, {"name": "https://support.apple.com/kb/HT212327", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT212327"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.316Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1040166"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://curl.se/docs/CVE-2020-8284.html"}, {"name": "FEDORA-2020-ceaf490686", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"}, {"name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"}, {"name": "FEDORA-2020-7ab62c73bc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"}, {"name": "GLSA-202012-14", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202012-14"}, {"name": "DSA-4881", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4881"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT212325"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT212326"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT212327"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:56:25.837320Z", "id": "CVE-2020-8284", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:59:17.253Z"}}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8284", "datePublished": "2020-12-14T19:38:26.000Z", "dateReserved": "2020-01-28T00:00:00.000Z", "dateUpdated": "2026-04-16T13:59:17.253Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1040166", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://curl.se/docs/CVE-2020-8284.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/", "name": "FEDORA-2020-ceaf490686", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html", "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/", "name": "FEDORA-2020-7ab62c73bc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202012-14", "name": "GLSA-202012-14", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}, {"url": "https://www.debian.org/security/2021/dsa-4881", "name": "DSA-4881", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210122-0007/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://support.apple.com/kb/HT212325", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://support.apple.com/kb/HT212326", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://support.apple.com/kb/HT212327", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.316Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-8284", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:56:25.837320Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:56:20.503Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "https://github.com/curl/curl", "versions": [{"status": "affected", "version": "7.73.0 and earlier"}]}], "references": [{"url": "https://hackerone.com/reports/1040166", "tags": ["x_refsource_MISC"]}, {"url": "https://curl.se/docs/CVE-2020-8284.html", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/", "name": "FEDORA-2020-ceaf490686", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html", "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/", "name": "FEDORA-2020-7ab62c73bc", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "https://security.gentoo.org/glsa/202012-14", "name": "GLSA-202012-14", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}, {"url": "https://www.debian.org/security/2021/dsa-4881", "name": "DSA-4881", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20210122-0007/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://support.apple.com/kb/HT212325", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://support.apple.com/kb/HT212326", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://support.apple.com/kb/HT212327", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_refsource_MISC"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Information Disclosure (CWE-200)"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2022-04-19T23:23:26.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "7.73.0 and earlier"}]}, "product_name": "https://github.com/curl/curl"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://hackerone.com/reports/1040166", "name": "https://hackerone.com/reports/1040166", "refsource": "MISC"}, {"url": "https://curl.se/docs/CVE-2020-8284.html", "name": "https://curl.se/docs/CVE-2020-8284.html", "refsource": "MISC"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/", "name": "FEDORA-2020-ceaf490686", "refsource": "FEDORA"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html", "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update", "refsource": "MLIST"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/", "name": "FEDORA-2020-7ab62c73bc", "refsource": "FEDORA"}, {"url": "https://security.gentoo.org/glsa/202012-14", "name": "GLSA-202012-14", "refsource": "GENTOO"}, {"url": "https://www.debian.org/security/2021/dsa-4881", "name": "DSA-4881", "refsource": "DEBIAN"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20210122-0007/", "name": "https://security.netapp.com/advisory/ntap-20210122-0007/", "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT212325", "name": "https://support.apple.com/kb/HT212325", "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT212326", "name": "https://support.apple.com/kb/HT212326", "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT212327", "name": "https://support.apple.com/kb/HT212327", "refsource": "CONFIRM"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure (CWE-200)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-8284", "STATE": "PUBLIC", "ASSIGNER": "support@hackerone.com"}}}}, "cveMetadata": {"cveId": "CVE-2020-8284", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:59:17.253Z", "dateReserved": "2020-01-28T00:00:00.000Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2020-12-14T19:38:26.000Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4938AC8-A83F-48D8-861C-042B90B75CAA", "versionEndIncluding": "7.73.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "matchCriteriaId": "1FE996B1-6951-4F85-AA58-B99A379D2163", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", "vulnerable": true}, {"criteria": "cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "02DEB4FB-A21D-4CB1-B522-EEE5093E8521", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "1C767AA1-88B7-48F0-9F31-A89D16DCD52C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD7447BC-F315-4298-A822-549942FC118B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E76BECE-0843-4B9F-90DE-7690764701B0", "versionEndExcluding": "10.14.6", "versionStartIncluding": "10.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB8A73F8-3074-4B32-B9F6-343B6B1988C5", "versionEndExcluding": "10.15.7", "versionStartIncluding": "10.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-001:*:*:*:*:*:*", "matchCriteriaId": "CFE26ECC-A2C2-4501-9950-510DE0E1BD86", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-002:*:*:*:*:*:*", "matchCriteriaId": "26108BEF-0847-4AB0-BD98-35344DFA7835", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-004:*:*:*:*:*:*", "matchCriteriaId": "A369D48B-6A0A-47AE-9513-D5E2E6F30931", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-005:*:*:*:*:*:*", "matchCriteriaId": "510F8317-94DA-498E-927A-83D5F41AF54A", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-006:*:*:*:*:*:*", "matchCriteriaId": "0D5D1970-6D2A-42CA-A203-42023D71730D", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-007:*:*:*:*:*:*", "matchCriteriaId": "C68AE52B-5139-40A4-AE9A-E752DBF07D1B", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-001:*:*:*:*:*:*", "matchCriteriaId": "0FD3467D-7679-479F-9C0B-A93F7CD0929D", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-002:*:*:*:*:*:*", "matchCriteriaId": "D4C6098E-EDBD-4A85-8282-B2E9D9333872", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-003:*:*:*:*:*:*", "matchCriteriaId": "518BB47B-DD76-4E8C-9F10-7EBC1E146191", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-004:*:*:*:*:*:*", "matchCriteriaId": "63940A55-D851-46EB-9668-D82BEFC1FE95", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-005:*:*:*:*:*:*", "matchCriteriaId": "68C7A97A-3801-44FA-96CA-10298FA39883", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-006:*:*:*:*:*:*", "matchCriteriaId": "6D69914D-46C7-4A0E-A075-C863C1692D33", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-007:*:*:*:*:*:*", "matchCriteriaId": "9CDB4476-B521-43E4-A129-8718A8E0A8CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-001:*:*:*:*:*:*", "matchCriteriaId": "9D072B77-BE3F-4A2E-B66A-E2C8DC3781E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-002:*:*:*:*:*:*", "matchCriteriaId": "A4A6BF78-B772-435C-AC1A-2199027CCF9E", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update:*:*:*:*:*:*", "matchCriteriaId": "2C88BD98-46F5-447F-963A-FB9B167E31BE", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update_2:*:*:*:*:*:*", "matchCriteriaId": "C7A0615B-D958-4BBF-B53F-AA839A0FE845", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*", "matchCriteriaId": "A654B8A2-FC30-4171-B0BB-366CD7ED4B6A", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*", "matchCriteriaId": "F12CC8B5-C1EB-419E-8496-B9A3864656AD", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "matchCriteriaId": "F1F4BF7F-90D4-4668-B4E6-B06F4070F448", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005:*:*:*:*:*:*", "matchCriteriaId": "7FD7176C-F4D1-43A7-9E49-BA92CA0D9980", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007:*:*:*:*:*:*", "matchCriteriaId": "2703DE0B-8A9E-4A9D-9AE8-028E22BF47CA", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", "matchCriteriaId": "0F441A43-1669-478D-9EC8-E96882DE4F9F", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:supplemental_update:*:*:*:*:*:*", "matchCriteriaId": "C1C795B9-E58D-467C-83A8-2D45C792292F", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:11.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "96C3F2DF-96A5-40F2-B5C7-E961C2EE4489", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:11.1:*:*:*:*:*:*:*", "matchCriteriaId": "D120FD05-70E5-46AE-9B43-4F97BC8E05FE", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:11.2:*:*:*:*:*:*:*", "matchCriteriaId": "752548E2-BB8F-49AB-9D80-38182232989B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E39D442D-1997-49AF-8B02-5640BE2A26CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", "matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*", "matchCriteriaId": "394A16F2-CCD4-44E5-BF6B-E0C782A9FA38", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E63B7B2-409A-476E-BA12-2A2D2F3B85DE", "versionEndExcluding": "xcp2410", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "983D27DE-BC89-454E-AE47-95A26A3651E2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ADB5D4C9-DA14-4188-9181-17336F9445F6", "versionEndExcluding": "xcp2410", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", "matchCriteriaId": "5825AEE1-B668-40BD-86A9-2799430C742C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B65E2F3-57EC-46C0-BB4A-0A0F3F8D387E", "versionEndExcluding": "xcp2410", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", "matchCriteriaId": "3DA2D526-BDCF-4A65-914A-B3BA3A0CD613", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "90B7CFBF-761C-4EAA-A322-EF5E294AADED", "versionEndExcluding": "xcp2410", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE0CF40B-E5BD-4558-9321-184D58EF621D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "48B28ABF-7E1A-4A1E-8F78-0D95D7BDF886", "versionEndExcluding": "xcp2410", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", "matchCriteriaId": "0F3C9C09-7B2B-4DB6-8BE0-35302ED35776", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E74AAF52-1388-4BD9-B17B-3A6A32CA3608", "versionEndExcluding": "xcp2410", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", "matchCriteriaId": "95503CE5-1D06-4092-A60D-D310AADCAFB1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A107698C-9C63-44A9-8A2B-81EDD5702B4C", "versionEndExcluding": "xcp3110", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "983D27DE-BC89-454E-AE47-95A26A3651E2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FC0460E-4695-44FB-99EE-28B2C957B760", "versionEndExcluding": "xcp3110", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", "matchCriteriaId": "5825AEE1-B668-40BD-86A9-2799430C742C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD54A092-85A7-4459-9C69-19E6E24AC24B", "versionEndExcluding": "xcp3110", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", "matchCriteriaId": "3DA2D526-BDCF-4A65-914A-B3BA3A0CD613", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F813DBC-BA1E-4C73-AA11-1BD3F9508372", "versionEndExcluding": "xcp3110", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE0CF40B-E5BD-4558-9321-184D58EF621D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFDF4F39-1C6C-4AD3-99CF-BD5B44B8C71B", "versionEndExcluding": "xcp3110", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", "matchCriteriaId": "0F3C9C09-7B2B-4DB6-8BE0-35302ED35776", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "416B805F-799A-4466-AC5A-93D083A2ABBD", "versionEndExcluding": "xcp3110", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", "matchCriteriaId": "95503CE5-1D06-4092-A60D-D310AADCAFB1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253", "versionEndExcluding": "1.0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*", "matchCriteriaId": "5722E753-75DE-4944-A11B-556CB299B57D", "versionEndExcluding": "8.2.12", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC0F9351-81A4-4FEA-B6B5-6E960A933D32", "versionEndExcluding": "9.0.6", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."}, {"lang": "es", "value": "Un servidor malicioso puede usar la respuesta FTP PASV para enga\u00f1ar a curl versiones 7.73.0 y anteriores, para que se conecte de nuevo a una direcci\u00f3n IP y puerto determinados, y de esta manera potencialmente hacer que curl extraiga informaci\u00f3n sobre servicios que de otro modo ser\u00edan privados y no divulgados, por ejemplo, haciendo escaneo de puerto y extracciones del banner de servicio"}], "id": "CVE-2020-8284", "lastModified": "2026-04-16T15:16:42.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2020-12-14T20:15:13.903", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2020-8284.html"}, {"source": "support@hackerone.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1040166"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202012-14"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212325"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212326"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212327"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4881"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2020-8284.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1040166"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202012-14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212325"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT212327"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4881"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Varnavas Papaioannou for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:2471", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "curl", "product_name": "JBoss Core Services Apache HTTP Server 2.4.37 SP8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-0:1-18.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-0:1.6.3-105.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:7.77.0-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-jansson-0:2.11-55.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-0:1-18.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-jansson-0:2.11-55.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:2472", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-06-17T00:00:00Z"}, {"advisory": "RHSA-2021:1610", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "curl-0:7.61.1-18.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-05-18T00:00:00Z"}], "bugzilla": {"description": "curl: FTP PASV command response can cause curl to connect to arbitrary host", "id": "1902667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902667"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", "A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user, a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack."], "mitigation": {"lang": "en:us", "value": "This flaw can be mitigated in curl as shipped with Red Hat Enterprise Linux and Red Hat Software Collections when using curl by passing the `--ftp-skip-pasv-ip` command line option to curl. For usage of libcurl, set `CURLOPT_FTP_SKIP_PASV_IP` to `1L`[1]. Note that these mitigations could cause problems in the uncommon instance that the server needs the client to connect back to an IP other than the control connection IP address.\n1. https://curl.se/libcurl/c/CURLOPT_FTP_SKIP_PASV_IP.html"}, "name": "CVE-2020-8284", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:2.1", "fix_state": "Not affected", "package_name": "rh-dotnet21-curl", "product_name": ".NET Core 2.1 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:rhel_dotnet:3.1", "fix_state": "Not affected", "package_name": "rh-dotnet31-curl", "product_name": ".NET Core 3.1 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-curl", "product_name": "Red Hat Software Collections"}], "public_date": "2020-12-09T08:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8284\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8284\nhttps://curl.se/docs/CVE-2020-8284.html"], "threat_severity": "Moderate"}

{}