{ "threat_severity" : "Moderate", "public_date" : "2020-12-09T08:00:00Z", "bugzilla" : { "description" : "curl: FTP PASV command response can cause curl to connect to arbitrary host", "id" : "1902667", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1902667" }, "cvss3" : { "cvss3_base_score" : "3.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", "A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user, a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack." ], "acknowledgement" : "Red Hat would like to thank Varnavas Papaioannou for reporting this issue.", "affected_release" : [ { "product_name" : "JBoss Core Services Apache HTTP Server 2.4.37 SP8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2471", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "jbcs-httpd24-curl" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-0:1-18.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-apr-0:1.6.3-105.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-curl-0:7.77.0-2.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-jansson-0:2.11-55.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-0:1-18.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-jansson-0:2.11-55.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-05-18T00:00:00Z", "advisory" : "RHSA-2021:1610", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "curl-0:7.61.1-18.el8" } ], "package_state" : [ { "product_name" : ".NET Core 2.1 on Red Hat Enterprise Linux", "fix_state" : "Not affected", "package_name" : "rh-dotnet21-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:2.1" }, { "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux", "fix_state" : "Not affected", "package_name" : "rh-dotnet31-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "httpd24-curl", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8284\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8284\nhttps://curl.se/docs/CVE-2020-8284.html" ], "name" : "CVE-2020-8284", "mitigation" : { "value" : "This flaw can be mitigated in curl as shipped with Red Hat Enterprise Linux and Red Hat Software Collections when using curl by passing the `--ftp-skip-pasv-ip` command line option to curl. For usage of libcurl, set `CURLOPT_FTP_SKIP_PASV_IP` to `1L`[1]. Note that these mitigations could cause problems in the uncommon instance that the server needs the client to connect back to an IP other than the control connection IP address.\n1. https://curl.se/libcurl/c/CURLOPT_FTP_SKIP_PASV_IP.html", "lang" : "en:us" }, "csaw" : false }