{"id":"CURL-CVE-2020-8284","summary":"trusting FTP PASV responses","details":"When curl performs a passive FTP transfer, it first tries the `EPSV` command\nand if that is not supported, it falls back to using `PASV`. Passive mode is\nwhat curl uses by default.\n\nA server response to a `PASV` command includes the (IPv4) address and port\nnumber for the client to connect back to in order to perform the actual data\ntransfer.\n\nThis is how the FTP protocol is designed to work.\n\nA malicious server can use the `PASV` response to trick curl into connecting\nback to a given IP address and port, and this way potentially make curl\nextract information about services that are otherwise private and not\ndisclosed, for example doing port scanning and service banner extractions.\n\nIf curl operates on a URL provided by a user (which by all means is an unwise\nsetup), a user can exploit that and pass in a URL to a malicious FTP server\ninstance without needing any server breach to perform the attack.","aliases":["CVE-2020-8284"],"modified":"2024-07-02T09:22:24Z","published":"2020-12-09T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2020-8284.html","issue":"https://hackerone.com/reports/1040166","URL":"https://curl.se/docs/CVE-2020-8284.json","CWE":{"id":"CWE-200","desc":"Exposure of Sensitive Information to an Unauthorized Actor"},"award":{"currency":"USD","amount":"700"},"package":"curl","affects":"both","severity":"Low","last_affected":"7.73.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"4.0"},{"fixed":"7.74.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"ec9cc725d598ac77de7b6df8afeec292b3c8ad46"}]}],"versions":["7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4","5.3","5.2.1","5.2","5.0","4.10","4.9","4.8.4","4.8.3","4.8.2","4.8.1","4.8","4.7","4.6","4.5.1","4.5","4.4","4.3","4.2","4.1","4.0"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/ec9cc725d598ac77de7b6df8afeec292b3c8ad46","signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["169669313792994067688378040291748707416","321795830173557615618495112935278469828","303798684854924181590892784845352719080","25717312739034129593398455384462413788"]},"target":{"file":"src/tool_cfgable.c"},"id":"CURL-CVE-2020-8284-6730d661"},{"source":"https://github.com/curl/curl.git/commit/ec9cc725d598ac77de7b6df8afeec292b3c8ad46","signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"length":3084,"function_hash":"179266162000313815073355544713281597741"},"target":{"function":"Curl_init_userdefined","file":"lib/url.c"},"id":"CURL-CVE-2020-8284-88689ca4"},{"source":"https://github.com/curl/curl.git/commit/ec9cc725d598ac77de7b6df8afeec292b3c8ad46","signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"length":582,"function_hash":"262787758897913126717991939170037864740"},"target":{"function":"config_init","file":"src/tool_cfgable.c"},"id":"CURL-CVE-2020-8284-d049c5e7"},{"source":"https://github.com/curl/curl.git/commit/ec9cc725d598ac77de7b6df8afeec292b3c8ad46","signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["332275256797049410969042857320779881997","209898139180819913388445564468721410588","201564350411993658624401582804313207203","125944839223461286279884884667119672935"]},"target":{"file":"lib/url.c"},"id":"CURL-CVE-2020-8284-d162e32d"}],"source":"https://curl.se/docs/CURL-CVE-2020-8284.json"}}],"schema_version":"1.7.3","credits":[{"name":"Varnavas Papaioannou","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}