{"id":"USN-4665-1","summary":"curl vulnerabilities","details":"Marc Aldorasi discovered that curl incorrectly handled the libcurl\nCURLOPT_CONNECT_ONLY option. This could result in data being sent to the\nwrong destination, possibly exposing sensitive information. This issue only\naffected Ubuntu 20.10. (CVE-2020-8231)\n\nVarnavas Papaioannou discovered that curl incorrectly handled FTP PASV\nresponses. An attacker could possibly use this issue to trick curl into\nconnecting to an arbitrary IP address and be used to perform port scanner\nand other information gathering. (CVE-2020-8284)\n\nIt was discovered that curl incorrectly handled FTP wildcard matchins. A\nremote attacker could possibly use this issue to cause curl to consume\nresources and crash, resulting in a denial of service. (CVE-2020-8285)\n\nIt was discovered that curl incorrectly handled OCSP response verification.\nA remote attacker could possibly use this issue to provide a fraudulent\nOCSP response. (CVE-2020-8286)\n","modified":"2026-02-10T04:42:00Z","published":"2020-12-09T12:10:47Z","related":["UBUNTU-CVE-2020-8231","UBUNTU-CVE-2020-8284","UBUNTU-CVE-2020-8285","UBUNTU-CVE-2020-8286"],"upstream":["CVE-2020-8231","CVE-2020-8284","CVE-2020-8285","CVE-2020-8286","UBUNTU-CVE-2020-8231","UBUNTU-CVE-2020-8284","UBUNTU-CVE-2020-8285","UBUNTU-CVE-2020-8286"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4665-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-8231"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-8284"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-8285"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-8286"}],"affected":[{"package":{"name":"curl","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/curl@7.47.0-1ubuntu2.18?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.47.0-1ubuntu2.18"}]}],"versions":["7.43.0-1ubuntu2","7.45.0-1ubuntu1","7.46.0-1ubuntu1","7.47.0-1ubuntu1","7.47.0-1ubuntu2","7.47.0-1ubuntu2.1","7.47.0-1ubuntu2.2","7.47.0-1ubuntu2.3","7.47.0-1ubuntu2.4","7.47.0-1ubuntu2.5","7.47.0-1ubuntu2.6","7.47.0-1ubuntu2.7","7.47.0-1ubuntu2.8","7.47.0-1ubuntu2.9","7.47.0-1ubuntu2.11","7.47.0-1ubuntu2.12","7.47.0-1ubuntu2.13","7.47.0-1ubuntu2.14","7.47.0-1ubuntu2.15","7.47.0-1ubuntu2.16"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"curl","binary_version":"7.47.0-1ubuntu2.18"},{"binary_name":"libcurl3","binary_version":"7.47.0-1ubuntu2.18"},{"binary_name":"libcurl3-gnutls","binary_version":"7.47.0-1ubuntu2.18"},{"binary_name":"libcurl3-nss","binary_version":"7.47.0-1ubuntu2.18"},{"binary_name":"libcurl4-gnutls-dev","binary_version":"7.47.0-1ubuntu2.18"},{"binary_name":"libcurl4-nss-dev","binary_version":"7.47.0-1ubuntu2.18"},{"binary_name":"libcurl4-openssl-dev","binary_version":"7.47.0-1ubuntu2.18"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4665-1.json","cves_map":{"ecosystem":"Ubuntu:16.04:LTS","cves":[{"id":"CVE-2020-8284","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2020-8285","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-8286","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}},{"package":{"name":"curl","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/curl@7.58.0-2ubuntu3.12?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.58.0-2ubuntu3.12"}]}],"versions":["7.55.1-1ubuntu2","7.55.1-1ubuntu2.1","7.57.0-1ubuntu1","7.58.0-2ubuntu1","7.58.0-2ubuntu2","7.58.0-2ubuntu3","7.58.0-2ubuntu3.1","7.58.0-2ubuntu3.2","7.58.0-2ubuntu3.3","7.58.0-2ubuntu3.5","7.58.0-2ubuntu3.6","7.58.0-2ubuntu3.7","7.58.0-2ubuntu3.8","7.58.0-2ubuntu3.9","7.58.0-2ubuntu3.10"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"curl","binary_version":"7.58.0-2ubuntu3.12"},{"binary_name":"libcurl3-gnutls","binary_version":"7.58.0-2ubuntu3.12"},{"binary_name":"libcurl3-nss","binary_version":"7.58.0-2ubuntu3.12"},{"binary_name":"libcurl4","binary_version":"7.58.0-2ubuntu3.12"},{"binary_name":"libcurl4-gnutls-dev","binary_version":"7.58.0-2ubuntu3.12"},{"binary_name":"libcurl4-nss-dev","binary_version":"7.58.0-2ubuntu3.12"},{"binary_name":"libcurl4-openssl-dev","binary_version":"7.58.0-2ubuntu3.12"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4665-1.json","cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"id":"CVE-2020-8284","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2020-8285","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-8286","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}},{"package":{"name":"curl","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/curl@7.68.0-1ubuntu2.4?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.68.0-1ubuntu2.4"}]}],"versions":["7.65.3-1ubuntu3","7.65.3-1ubuntu4","7.66.0-1ubuntu1","7.67.0-2ubuntu1","7.68.0-1ubuntu1","7.68.0-1ubuntu2","7.68.0-1ubuntu2.1","7.68.0-1ubuntu2.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"curl","binary_version":"7.68.0-1ubuntu2.4"},{"binary_name":"libcurl3-gnutls","binary_version":"7.68.0-1ubuntu2.4"},{"binary_name":"libcurl3-nss","binary_version":"7.68.0-1ubuntu2.4"},{"binary_name":"libcurl4","binary_version":"7.68.0-1ubuntu2.4"},{"binary_name":"libcurl4-gnutls-dev","binary_version":"7.68.0-1ubuntu2.4"},{"binary_name":"libcurl4-nss-dev","binary_version":"7.68.0-1ubuntu2.4"},{"binary_name":"libcurl4-openssl-dev","binary_version":"7.68.0-1ubuntu2.4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4665-1.json","cves_map":{"ecosystem":"Ubuntu:20.04:LTS","cves":[{"id":"CVE-2020-8284","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2020-8285","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-8286","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.3"}