CVE-2020-8284 - Vulnerability Details

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00129.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple Subscribe	Mac Os X Subscribe Macos Subscribe
Debian Subscribe	Debian Linux Subscribe
Fedoraproject Subscribe	Fedora Subscribe
Fujitsu Subscribe	M10-1 Subscribe M10-1 Firmware Subscribe M10-4 Subscribe M10-4 Firmware Subscribe M10-4s Subscribe M10-4s Firmware Subscribe M12-1 Subscribe M12-1 Firmware Subscribe M12-2 Subscribe M12-2 Firmware Subscribe M12-2s Subscribe M12-2s Firmware Subscribe
Haxx Subscribe	Curl Subscribe
Netapp Subscribe	Clustered Data Ontap Subscribe Hci Bootstrap Os Subscribe Hci Compute Node Subscribe Hci Management Node Subscribe Hci Storage Node Subscribe Solidfire Subscribe
Oracle Subscribe	Communications Billing And Revenue Management Subscribe Communications Cloud Native Core Policy Subscribe Essbase Subscribe Peoplesoft Enterprise Peopletools Subscribe
Redhat Subscribe	Enterprise Linux Subscribe Jboss Core Services Subscribe
Siemens Subscribe	Sinec Infrastructure Network Services Subscribe
Splunk Subscribe	Universal Forwarder Subscribe

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*
	cpe:2.3:h:netapp:hci_storage_node:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 6 [-]

OR	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-001::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-002::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-004::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-005::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-006::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-007::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-001::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-002::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-003::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-004::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-005::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-006::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-007::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-001::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-002::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update::::::
	cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update_2::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:-::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:supplemental_update::::::
	cpe:2.3:o:apple:macos:11.0.1:::::::*
	cpe:2.3:o:apple:macos:11.1:::::::*
	cpe:2.3:o:apple:macos:11.2:::::::*

Configuration 7 [-]

OR	cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:essbase:21.2:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:::::::*

Configuration 8 [-]

AND

cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*

Configuration 20 [-]

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Configuration 21 [-]

OR	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

Package	CPE	Advisory	Released Date
JBoss Core Services Apache HTTP Server 2.4.37 SP8
curl	cpe:/a:redhat:jboss_core_services:1	RHSA-2021:2471	2021-06-17T00:00:00Z
JBoss Core Services for RHEL 8
jbcs-httpd24-0:1-18.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-apr-0:1.6.3-105.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-curl-0:7.77.0-2.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-jansson-0:2.11-55.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2021:2472	2021-06-17T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-0:1-18.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-jansson-0:2.11-55.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2021:2472	2021-06-17T00:00:00Z
Red Hat Enterprise Linux 8
curl-0:7.61.1-18.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2021:1610	2021-05-18T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-2500-1	curl security update
Debian DLA	DLA-3205-1	inetutils security update
Debian DSA	DSA-4881-1	curl security update
Ubuntu USN	USN-4665-1	curl vulnerabilities
Ubuntu USN	USN-4665-2	curl vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://curl.se/docs/CVE-2020-8284.html
https://hackerone.com/reports/1040166
https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
https://nvd.nist.gov/vuln/detail/CVE-2020-8284
https://security.gentoo.org/glsa/202012-14
https://security.netapp.com/advisory/ntap-20210122-0007/
https://support.apple.com/kb/HT212325
https://support.apple.com/kb/HT212326
https://support.apple.com/kb/HT212327
https://www.cve.org/CVERecord?id=CVE-2020-8284
https://www.debian.org/security/2021/dsa-4881
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00067}`	epss `{'score': 0.00069}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2020-12-14T19:38:26

Updated: 2024-08-04T09:56:28.316Z

Reserved: 2020-01-28T00:00:00

Link: CVE-2020-8284

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-12-14T20:15:13.903

Modified: 2024-11-21T05:38:39.193

Link: CVE-2020-8284

Redhat

Severity : Moderate

Publid Date: 2020-12-09T08:00:00Z

Links: CVE-2020-8284 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object