CVE-2020-8284
curl - security update
3.7
LOW
CVSS 3.1
EPSS 0.08%
Description
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
How to fix CVE-2020-8284
To remediate CVE-2020-8284, upgrade the affected package to a fixed version below.
- —upgrade to 7.79.0-r0 or later
- —upgrade to 7.74.0-1 or later
- —upgrade to 7.52.1-5+deb9u13 or later
Is CVE-2020-8284 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 7.79.0-r0
- from 0, < 7.74.0-1
- from 0, < 7.52.1-5+deb9u13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |