CVE-2020-8284 — Sensitive Information Exposure in Siemens Sinec Infrastructure Network Services

CWE-200 — Sensitive Information Exposure14 documents10 sources

Severity

3.7LOWNVD

EPSS

0.1%

top 71.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Apple MAC OS X Fujitsu M10-1 Firmware +15 more

Timeline

PublishedDec 14

Latest updateMay 24

Description

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages18 packages

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶Debianhaxx/curl< 7.74.0-1+3

▶Ubuntuhaxx/curl< 7.35.0-1ubuntu2.20+esm6

▶NVDhaxx/curl7.73.0

▶CVEListV5https/github.com_curl_curl7.73.0 and earlier

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33

Patches

Patch: cert-portal.siemens.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-69rc-qfx4-h683: A malicious server can use the FTP PASV response to trick curl 7↗2022-05-24

▶

CVEList

CVE-2020-8284: A malicious server can use the FTP PASV response to trick curl 7↗2020-12-14

▶

OSV

CVE-2020-8284: A malicious server can use the FTP PASV response to trick curl 7↗2020-12-14

▶

OSV

curl vulnerabilities↗2020-12-09

▶

OSV

curl vulnerabilities↗2020-12-09

▶

📋Vendor Advisories

Apple

CVE-2020-8284: macOS Big Sur 11.3↗2021-04-26

▶

Apple

CVE-2020-8284: Security Update 2021-002 Catalina↗2021-04-26

▶

Ubuntu

curl vulnerabilities↗2020-12-09

▶

Ubuntu

curl vulnerabilities↗2020-12-09

▶

Red Hat

curl: FTP PASV command response can cause curl to connect to arbitrary host↗2020-12-09

▶

💬Community

HackerOne

CVE-2020-8284: trusting FTP PASV responses↗2021-02-09

▶