CVE-2020-8285

CWE-674Uncontrolled RecursionCWE-787Out-of-bounds WriteCWE-121Stack-based Buffer Overflow16 documents11 sources
Severity
7.5HIGH
EPSS
0.7%
top 27.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
18
Apple MAC OS XApple MacosFujitsu M10-1 Firmware+15 more
Timeline
PublishedDec 14
Latest updateMay 24

Description

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages17 packages

NVDhaxx/libcurl7.21.07.74.0
Debiancurl< 7.74.0-1+3
CVEListV5https://github.com/curl/curllibcurl 7.21.0 to and including 7.73.0
NVDapple/macos11.011.3
NVDapple/mac_os_x10.1510.15.7+3

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33

Patches

Patch: cert-portal.siemens.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
GHSA
GHSA-4p2h-jggv-23jg: curl 72022-05-24
OSV
CVE-2020-8285: curl 72020-12-14
CVEList
CVE-2020-8285: curl 72020-12-14
OSV
curl vulnerabilities2020-12-09
OSV
curl vulnerabilities2020-12-09

📋Vendor Advisories

9
Oracle
Oracle Oracle Systems Risk Matrix: XCP Firmware (cURL) — CVE-2020-82852022-01-15
Oracle
Oracle Oracle Essbase Risk Matrix: Infrastructure (cURL) — CVE-2020-82852021-07-15
Apple
CVE-2020-8285: Security Update 2021-002 Catalina2021-04-26
Apple
CVE-2020-8285: macOS Big Sur 11.32021-04-26
Red Hat
curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used2020-12-09

💬Community

1
HackerOne
CVE-2020-8285: FTP wildcard stack overflow2021-01-08