A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Weakness: Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
This section is open source, for any additional information that enhances or clarifies the official advisory above.
Exploits for CVE-2020-8284 are not publicly available.
curl: CVE-2020-8284: trusting FTP PASV responses
submitted by vepe 3 months ago
publicly disclosed 19 days ago
Official CVE References
View references (7)
- fedoraproject.org/archives/list/[email protected]/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/
- fedoraproject.org/archives/list/[email protected]/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/