csaf_suse - suse-su-2020:14585-1

SUSE-SU-2020:14585-1

Vulnerability from csaf_suse - Published: 2020-12-21 09:57 - Updated: 2020-12-21 09:57

Summary

Security update for curl

Notes

Title of the patch

Security update for curl

Description of the patch

This update for curl fixes the following issues: - CVE-2020-8284: Fixed an issue where a malicious FTP server could make curl connect to a different IP (bsc#1179398). - CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).

Patchnames

secsp3-curl-14585

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for curl",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for curl fixes the following issues:\n\n- CVE-2020-8284: Fixed an issue where a malicious FTP server could make curl connect to a different IP (bsc#1179398).\n- CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "secsp3-curl-14585",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_14585-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2020:14585-1",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-202014585-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2020:14585-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-December/008095.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1179398",
        "url": "https://bugzilla.suse.com/1179398"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1179399",
        "url": "https://bugzilla.suse.com/1179399"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8284 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8284/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8285 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8285/"
      }
    ],
    "title": "Security update for curl",
    "tracking": {
      "current_release_date": "2020-12-21T09:57:35Z",
      "generator": {
        "date": "2020-12-21T09:57:35Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2020:14585-1",
      "initial_release_date": "2020-12-21T09:57:35Z",
      "revision_history": [
        {
          "date": "2020-12-21T09:57:35Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-openssl1-7.37.0-70.57.1.i586",
                "product": {
                  "name": "curl-openssl1-7.37.0-70.57.1.i586",
                  "product_id": "curl-openssl1-7.37.0-70.57.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-7.37.0-70.57.1.i586",
                "product": {
                  "name": "libcurl4-openssl1-7.37.0-70.57.1.i586",
                  "product_id": "libcurl4-openssl1-7.37.0-70.57.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-openssl1-7.37.0-70.57.1.ia64",
                "product": {
                  "name": "curl-openssl1-7.37.0-70.57.1.ia64",
                  "product_id": "curl-openssl1-7.37.0-70.57.1.ia64"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-7.37.0-70.57.1.ia64",
                "product": {
                  "name": "libcurl4-openssl1-7.37.0-70.57.1.ia64",
                  "product_id": "libcurl4-openssl1-7.37.0-70.57.1.ia64"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-x86-7.37.0-70.57.1.ia64",
                "product": {
                  "name": "libcurl4-openssl1-x86-7.37.0-70.57.1.ia64",
                  "product_id": "libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-openssl1-7.37.0-70.57.1.ppc64",
                "product": {
                  "name": "curl-openssl1-7.37.0-70.57.1.ppc64",
                  "product_id": "curl-openssl1-7.37.0-70.57.1.ppc64"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-7.37.0-70.57.1.ppc64",
                "product": {
                  "name": "libcurl4-openssl1-7.37.0-70.57.1.ppc64",
                  "product_id": "libcurl4-openssl1-7.37.0-70.57.1.ppc64"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
                "product": {
                  "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
                  "product_id": "libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-openssl1-7.37.0-70.57.1.s390x",
                "product": {
                  "name": "curl-openssl1-7.37.0-70.57.1.s390x",
                  "product_id": "curl-openssl1-7.37.0-70.57.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-7.37.0-70.57.1.s390x",
                "product": {
                  "name": "libcurl4-openssl1-7.37.0-70.57.1.s390x",
                  "product_id": "libcurl4-openssl1-7.37.0-70.57.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
                "product": {
                  "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
                  "product_id": "libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-openssl1-7.37.0-70.57.1.x86_64",
                "product": {
                  "name": "curl-openssl1-7.37.0-70.57.1.x86_64",
                  "product_id": "curl-openssl1-7.37.0-70.57.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-7.37.0-70.57.1.x86_64",
                "product": {
                  "name": "libcurl4-openssl1-7.37.0-70.57.1.x86_64",
                  "product_id": "libcurl4-openssl1-7.37.0-70.57.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
                "product": {
                  "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
                  "product_id": "libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 11-SECURITY",
                "product": {
                  "name": "SUSE Linux Enterprise Server 11-SECURITY",
                  "product_id": "SUSE Linux Enterprise Server 11-SECURITY",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:11:security"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-openssl1-7.37.0-70.57.1.i586 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586"
        },
        "product_reference": "curl-openssl1-7.37.0-70.57.1.i586",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-openssl1-7.37.0-70.57.1.ia64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64"
        },
        "product_reference": "curl-openssl1-7.37.0-70.57.1.ia64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-openssl1-7.37.0-70.57.1.ppc64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64"
        },
        "product_reference": "curl-openssl1-7.37.0-70.57.1.ppc64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-openssl1-7.37.0-70.57.1.s390x as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x"
        },
        "product_reference": "curl-openssl1-7.37.0-70.57.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-openssl1-7.37.0-70.57.1.x86_64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64"
        },
        "product_reference": "curl-openssl1-7.37.0-70.57.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-7.37.0-70.57.1.i586 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586"
        },
        "product_reference": "libcurl4-openssl1-7.37.0-70.57.1.i586",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-7.37.0-70.57.1.ia64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64"
        },
        "product_reference": "libcurl4-openssl1-7.37.0-70.57.1.ia64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-7.37.0-70.57.1.ppc64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64"
        },
        "product_reference": "libcurl4-openssl1-7.37.0-70.57.1.ppc64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-7.37.0-70.57.1.s390x as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x"
        },
        "product_reference": "libcurl4-openssl1-7.37.0-70.57.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-7.37.0-70.57.1.x86_64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64"
        },
        "product_reference": "libcurl4-openssl1-7.37.0-70.57.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64"
        },
        "product_reference": "libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x"
        },
        "product_reference": "libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64"
        },
        "product_reference": "libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl4-openssl1-x86-7.37.0-70.57.1.ia64 as component of SUSE Linux Enterprise Server 11-SECURITY",
          "product_id": "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
        },
        "product_reference": "libcurl4-openssl1-x86-7.37.0-70.57.1.ia64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 11-SECURITY"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-8284",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8284"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8284",
          "url": "https://www.suse.com/security/cve/CVE-2020-8284"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1179398 for CVE-2020-8284",
          "url": "https://bugzilla.suse.com/1179398"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1179399 for CVE-2020-8284",
          "url": "https://bugzilla.suse.com/1179399"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1186108 for CVE-2020-8284",
          "url": "https://bugzilla.suse.com/1186108"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-21T09:57:35Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-8284"
    },
    {
      "cve": "CVE-2020-8285",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8285"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x",
          "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64",
          "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8285",
          "url": "https://www.suse.com/security/cve/CVE-2020-8285"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1179399 for CVE-2020-8285",
          "url": "https://bugzilla.suse.com/1179399"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1186108 for CVE-2020-8285",
          "url": "https://bugzilla.suse.com/1186108"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.i586",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ia64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.ppc64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.s390x",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1.x86_64",
            "SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1.ia64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-12-21T09:57:35Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-8285"
    }
  ]
}

CVE-2020-8284 (GCVE-0-2020-8284)

Vulnerability from cvelistv5 – Published: 2020-12-14 19:38 – Updated: 2024-08-04 09:56

Summary

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Severity ?

No CVSS data available.

CWE

CWE-200 - Information Disclosure (CWE-200)

Assigner

hackerone

References

URL

Tags

	https://hackerone.com/reports/1040166	x_refsource_MISC
	https://curl.se/docs/CVE-2020-8284.html	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://security.gentoo.org/glsa/202012-14	vendor-advisoryx_refsource_GENTOO
	https://www.debian.org/security/2021/dsa-4881	vendor-advisoryx_refsource_DEBIAN
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2021012…	x_refsource_CONFIRM
	https://support.apple.com/kb/HT212325	x_refsource_CONFIRM
	https://support.apple.com/kb/HT212326	x_refsource_CONFIRM
	https://support.apple.com/kb/HT212327	x_refsource_CONFIRM
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/curl/curl	Affected: 7.73.0 and earlier

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:56:28.316Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1040166"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://curl.se/docs/CVE-2020-8284.html"
          },
          {
            "name": "FEDORA-2020-ceaf490686",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"
          },
          {
            "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"
          },
          {
            "name": "FEDORA-2020-7ab62c73bc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"
          },
          {
            "name": "GLSA-202012-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202012-14"
          },
          {
            "name": "DSA-4881",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4881"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT212325"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT212326"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT212327"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/curl/curl",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "7.73.0 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Information Disclosure (CWE-200)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:23:26",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1040166"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://curl.se/docs/CVE-2020-8284.html"
        },
        {
          "name": "FEDORA-2020-ceaf490686",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"
        },
        {
          "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"
        },
        {
          "name": "FEDORA-2020-7ab62c73bc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"
        },
        {
          "name": "GLSA-202012-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202012-14"
        },
        {
          "name": "DSA-4881",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4881"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT212325"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT212326"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT212327"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2020-8284",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/curl/curl",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "7.73.0 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure (CWE-200)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1040166",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1040166"
            },
            {
              "name": "https://curl.se/docs/CVE-2020-8284.html",
              "refsource": "MISC",
              "url": "https://curl.se/docs/CVE-2020-8284.html"
            },
            {
              "name": "FEDORA-2020-ceaf490686",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"
            },
            {
              "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"
            },
            {
              "name": "FEDORA-2020-7ab62c73bc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"
            },
            {
              "name": "GLSA-202012-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202012-14"
            },
            {
              "name": "DSA-4881",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4881"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210122-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"
            },
            {
              "name": "https://support.apple.com/kb/HT212325",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT212325"
            },
            {
              "name": "https://support.apple.com/kb/HT212326",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT212326"
            },
            {
              "name": "https://support.apple.com/kb/HT212327",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT212327"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2020-8284",
    "datePublished": "2020-12-14T19:38:26",
    "dateReserved": "2020-01-28T00:00:00",
    "dateUpdated": "2024-08-04T09:56:28.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-8285 (GCVE-0-2020-8285)

Vulnerability from cvelistv5 – Published: 2020-12-14 19:39 – Updated: 2024-08-04 09:56

Summary

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

Severity ?

No CVSS data available.

CWE

CWE-674 - Uncontrolled Recursion (CWE-674)

Assigner

hackerone

References

URL

Tags

	https://hackerone.com/reports/1045844	x_refsource_MISC
	https://github.com/curl/curl/issues/6255	x_refsource_MISC
	https://curl.se/docs/CVE-2020-8285.html	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://security.gentoo.org/glsa/202012-14	vendor-advisoryx_refsource_GENTOO
	https://www.debian.org/security/2021/dsa-4881	vendor-advisoryx_refsource_DEBIAN
	http://seclists.org/fulldisclosure/2021/Apr/51	mailing-listx_refsource_FULLDISC
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2021012…	x_refsource_CONFIRM
	https://support.apple.com/kb/HT212325	x_refsource_CONFIRM
	https://support.apple.com/kb/HT212326	x_refsource_CONFIRM
	https://support.apple.com/kb/HT212327	x_refsource_CONFIRM
	https://lists.apache.org/thread.html/rf4c02775860…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r58af02e294b…	mailing-listx_refsource_MLIST
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://cert-portal.siemens.com/productcert/pdf/s…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	https://github.com/curl/curl	Affected: libcurl 7.21.0 to and including 7.73.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:56:28.307Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1045844"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/curl/curl/issues/6255"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://curl.se/docs/CVE-2020-8285.html"
          },
          {
            "name": "FEDORA-2020-ceaf490686",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"
          },
          {
            "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"
          },
          {
            "name": "FEDORA-2020-7ab62c73bc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"
          },
          {
            "name": "GLSA-202012-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202012-14"
          },
          {
            "name": "DSA-4881",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4881"
          },
          {
            "name": "20210427 APPLE-SA-2021-04-26-3 Security Update 2021-002 Catalina",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2021/Apr/51"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT212325"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT212326"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT212327"
          },
          {
            "name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
          },
          {
            "name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/curl/curl",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "libcurl 7.21.0 to and including 7.73.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "Uncontrolled Recursion (CWE-674)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:23:28",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1045844"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/curl/curl/issues/6255"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://curl.se/docs/CVE-2020-8285.html"
        },
        {
          "name": "FEDORA-2020-ceaf490686",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"
        },
        {
          "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"
        },
        {
          "name": "FEDORA-2020-7ab62c73bc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"
        },
        {
          "name": "GLSA-202012-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202012-14"
        },
        {
          "name": "DSA-4881",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4881"
        },
        {
          "name": "20210427 APPLE-SA-2021-04-26-3 Security Update 2021-002 Catalina",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2021/Apr/51"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT212325"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT212326"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT212327"
        },
        {
          "name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
        },
        {
          "name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2020-8285",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/curl/curl",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "libcurl 7.21.0 to and including 7.73.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Uncontrolled Recursion (CWE-674)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1045844",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1045844"
            },
            {
              "name": "https://github.com/curl/curl/issues/6255",
              "refsource": "MISC",
              "url": "https://github.com/curl/curl/issues/6255"
            },
            {
              "name": "https://curl.se/docs/CVE-2020-8285.html",
              "refsource": "MISC",
              "url": "https://curl.se/docs/CVE-2020-8285.html"
            },
            {
              "name": "FEDORA-2020-ceaf490686",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/"
            },
            {
              "name": "[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html"
            },
            {
              "name": "FEDORA-2020-7ab62c73bc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/"
            },
            {
              "name": "GLSA-202012-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202012-14"
            },
            {
              "name": "DSA-4881",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4881"
            },
            {
              "name": "20210427 APPLE-SA-2021-04-26-3 Security Update 2021-002 Catalina",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2021/Apr/51"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210122-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210122-0007/"
            },
            {
              "name": "https://support.apple.com/kb/HT212325",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT212325"
            },
            {
              "name": "https://support.apple.com/kb/HT212326",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT212326"
            },
            {
              "name": "https://support.apple.com/kb/HT212327",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT212327"
            },
            {
              "name": "[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
            },
            {
              "name": "[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2020-8285",
    "datePublished": "2020-12-14T19:39:04",
    "dateReserved": "2020-01-28T00:00:00",
    "dateUpdated": "2024-08-04T09:56:28.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2020:14585-1

CVE-2020-8284 (GCVE-0-2020-8284)

CVE-2020-8285 (GCVE-0-2020-8285)

Tags

Sightings

Nomenclature