First published: Mon Nov 30 2020(Updated: )
curl. This issue was addressed with improved checks.
Credit: Marian Rehak Marian Rehak support@hackerone.com Marian Rehak support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24 | <0:1-18.el8 | 0:1-18.el8 |
redhat/jbcs-httpd24-apr | <0:1.6.3-105.el8 | 0:1.6.3-105.el8 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.el8 | 0:1.6.1-82.el8 |
redhat/jbcs-httpd24-brotli | <0:1.0.6-40.el8 | 0:1.0.6-40.el8 |
redhat/jbcs-httpd24-curl | <0:7.77.0-2.el8 | 0:7.77.0-2.el8 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-74.el8 | 0:2.4.37-74.el8 |
redhat/jbcs-httpd24-jansson | <0:2.11-55.el8 | 0:2.11-55.el8 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-37.el8 | 0:1.39.2-37.el8 |
redhat/jbcs-httpd24-openssl | <1:1.1.1g-6.el8 | 1:1.1.1g-6.el8 |
redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-5.el8 | 0:1.0.0-5.el8 |
redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-20.el8 | 0:0.4.10-20.el8 |
redhat/jbcs-httpd24 | <0:1-18.jbcs.el7 | 0:1-18.jbcs.el7 |
redhat/jbcs-httpd24-apr | <0:1.6.3-105.jbcs.el7 | 0:1.6.3-105.jbcs.el7 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.jbcs.el7 | 0:1.6.1-82.jbcs.el7 |
redhat/jbcs-httpd24-curl | <0:7.77.0-2.jbcs.el7 | 0:7.77.0-2.jbcs.el7 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-74.jbcs.el7 | 0:2.4.37-74.jbcs.el7 |
redhat/jbcs-httpd24-jansson | <0:2.11-55.jbcs.el7 | 0:2.11-55.jbcs.el7 |
redhat/curl | <0:7.61.1-18.el8 | 0:7.61.1-18.el8 |
debian/curl | 7.64.0-4+deb10u2 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2 | |
debian/curl | <=7.72.0-1<=7.64.0-4+deb10u1<=7.64.0-4 | |
IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 | |
Apple Mojave | ||
Apple Catalina | ||
Haxx Curl | <=7.73.0 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
NetApp Clustered Data ONTAP | ||
Netapp Hci Management Node | ||
Netapp Solidfire | ||
Netapp Hci Storage Node | ||
Netapp Hci Bootstrap Os | ||
Netapp Hci Compute Node | ||
Apple Mac OS X | >=10.14.0<10.14.6 | |
Apple Mac OS X | >=10.15<10.15.7 | |
Apple Mac OS X | =10.14.6-security_update_2019-001 | |
Apple Mac OS X | =10.14.6-security_update_2019-002 | |
Apple Mac OS X | =10.14.6-security_update_2019-004 | |
Apple Mac OS X | =10.14.6-security_update_2019-005 | |
Apple Mac OS X | =10.14.6-security_update_2019-006 | |
Apple Mac OS X | =10.14.6-security_update_2019-007 | |
Apple Mac OS X | =10.14.6-security_update_2020-001 | |
Apple Mac OS X | =10.14.6-security_update_2020-002 | |
Apple Mac OS X | =10.14.6-security_update_2020-003 | |
Apple Mac OS X | =10.14.6-security_update_2020-004 | |
Apple Mac OS X | =10.14.6-security_update_2020-005 | |
Apple Mac OS X | =10.14.6-security_update_2020-006 | |
Apple Mac OS X | =10.14.6-security_update_2020-007 | |
Apple Mac OS X | =10.14.6-security_update_2021-001 | |
Apple Mac OS X | =10.14.6-security_update_2021-002 | |
Apple Mac OS X | =10.14.6-supplemental_update | |
Apple Mac OS X | =10.14.6-supplemental_update_2 | |
Apple Mac OS X | =10.15.7 | |
Apple Mac OS X | =10.15.7-security_update_2020 | |
Apple Mac OS X | =10.15.7-security_update_2020-001 | |
Apple Mac OS X | =10.15.7-security_update_2020-005 | |
Apple Mac OS X | =10.15.7-security_update_2020-007 | |
Apple Mac OS X | =10.15.7-security_update_2021-001 | |
Apple Mac OS X | =10.15.7-supplemental_update | |
Apple macOS | =11.0.1 | |
Apple macOS | =11.1 | |
Apple macOS | =11.2 | |
Oracle Communications Billing and Revenue Management | =12.0.0.3.0 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle Essbase | =21.2 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Fujitsu M10-1 Firmware | <xcp2410 | |
Fujitsu M10-1 | ||
Fujitsu M10-4 Firmware | <xcp2410 | |
Fujitsu M10-4 | ||
Fujitsu M10-4s Firmware | <xcp2410 | |
Fujitsu M10-4s | ||
Fujitsu M12-1 Firmware | <xcp2410 | |
Fujitsu M12-1 | ||
Fujitsu M12-2 Firmware | <xcp2410 | |
Fujitsu M12-2 | ||
Fujitsu M12-2s Firmware | <xcp2410 | |
Fujitsu M12-2s | ||
Fujitsu M10-1 Firmware | <xcp3110 | |
Fujitsu M10-4 Firmware | <xcp3110 | |
Fujitsu M10-4s Firmware | <xcp3110 | |
Fujitsu M12-1 Firmware | <xcp3110 | |
Fujitsu M12-2 Firmware | <xcp3110 | |
Fujitsu M12-2s Firmware | <xcp3110 | |
Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
Apple macOS Big Sur | <11.3 | 11.3 |
redhat/curl | <7.74.0 | 7.74.0 |
All of | ||
Netapp Hci Bootstrap Os | ||
Netapp Hci Compute Node | ||
All of | ||
Fujitsu M10-1 Firmware | <xcp2410 | |
Fujitsu M10-1 | ||
All of | ||
Fujitsu M10-4 Firmware | <xcp2410 | |
Fujitsu M10-4 | ||
All of | ||
Fujitsu M10-4s Firmware | <xcp2410 | |
Fujitsu M10-4s | ||
All of | ||
Fujitsu M12-1 Firmware | <xcp2410 | |
Fujitsu M12-1 | ||
All of | ||
Fujitsu M12-2 Firmware | <xcp2410 | |
Fujitsu M12-2 | ||
All of | ||
Fujitsu M12-2s Firmware | <xcp2410 | |
Fujitsu M12-2s | ||
All of | ||
Fujitsu M10-1 Firmware | <xcp3110 | |
Fujitsu M10-1 | ||
All of | ||
Fujitsu M10-4 Firmware | <xcp3110 | |
Fujitsu M10-4 | ||
All of | ||
Fujitsu M10-4s Firmware | <xcp3110 | |
Fujitsu M10-4s | ||
All of | ||
Fujitsu M12-1 Firmware | <xcp3110 | |
Fujitsu M12-1 | ||
All of | ||
Fujitsu M12-2 Firmware | <xcp3110 | |
Fujitsu M12-2 | ||
All of | ||
Fujitsu M12-2s Firmware | <xcp3110 | |
Fujitsu M12-2s | ||
Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
Splunk Universal Forwarder | =9.1.0 |
This flaw can be mitigated in curl as shipped with Red Hat Enterprise Linux and Red Hat Software Collections when using curl by passing the `--ftp-skip-pasv-ip` command line option to curl. For usage of libcurl, set `CURLOPT_FTP_SKIP_PASV_IP` to `1L`[1]. Note that these mitigations could cause problems in the uncommon instance that the server needs the client to connect back to an IP other than the control connection IP address. 1. https://curl.se/libcurl/c/CURLOPT_FTP_SKIP_PASV_IP.html
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2020-8284 is a vulnerability that allows a malicious server to trick curl into connecting back to a given IP address and port, potentially extracting information about private services and performing port scanning.
The severity of CVE-2020-8284 is medium with a CVSS score of 3.1.
The Red Hat curl package version up to exclusive 7.74.0, and other related packages like jbcs-httpd24, jbcs-httpd24-apr, jbcs-httpd24-apr-util, jbcs-httpd24-brotli, jbcs-httpd24-curl, jbcs-httpd24-httpd, jbcs-httpd24-jansson, jbcs-httpd24-nghttp2, jbcs-httpd24-openssl, jbcs-httpd24-openssl-chil, jbcs-httpd24-openssl-pkcs11, curl version up to exclusive 7.61.1-18.el8, Apple Catalina, Apple Mojave, and Apple macOS Big Sur versions up to exclusive 11.3 are affected by CVE-2020-8284.
To fix CVE-2020-8284, update the affected software to the recommended versions: curl version 7.74.0 or later, or apply the necessary security updates provided by the software vendor.
You can find more information about CVE-2020-8284 on the following references: [link 1](https://support.apple.com/en-us/HT212326), [link 2](https://support.apple.com/en-us/HT212327), [link 3](https://support.apple.com/en-us/HT212325).