CURL-CVE-2020-8284
See a problem?- Source
- https://curl.se/docs/CVE-2020-8284.html
- Import Source
- https://curl.se/docs/CURL-CVE-2020-8284.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2020-8284
- Aliases
- Published
- 2020-12-09T08:00:00Z
- Modified
- 2024-07-02T09:22:24Z
- Summary
- trusting FTP PASV responses
- Details
-
When curl performs a passive FTP transfer, it first tries the
EPSVcommand and if that is not supported, it falls back to usingPASV. Passive mode is what curl uses by default.A server response to a
PASVcommand includes the (IPv4) address and port number for the client to connect back to in order to perform the actual data transfer.This is how the FTP protocol is designed to work.
A malicious server can use the
PASVresponse to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.If curl operates on a URL provided by a user (which by all means is an unwise setup), a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.
- References
-
- Credits
-
-
- Varnavas Papaioannou - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced4.0Fixed7.74.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events