{ "threat_severity" : "Moderate", "public_date" : "2020-12-09T08:00:00Z", "bugzilla" : { "description" : "curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used", "id" : "1902687", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1902687" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-674->CWE-121", "details" : [ "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.", "Libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns \"skip\" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors." ], "acknowledgement" : "Red Hat would like to thank Varnavas Papaioannou for reporting this issue.", "affected_release" : [ { "product_name" : "JBoss Core Services Apache HTTP Server 2.4.37 SP8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2471", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "jbcs-httpd24-curl" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-0:1-18.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-apr-0:1.6.3-105.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-curl-0:7.77.0-2.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-jansson-0:2.11-55.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-0:1-18.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-jansson-0:2.11-55.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2472", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-05-18T00:00:00Z", "advisory" : "RHSA-2021:1610", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "curl-0:7.61.1-18.el8" } ], "package_state" : [ { "product_name" : ".NET Core 2.1 on Red Hat Enterprise Linux", "fix_state" : "Not affected", "package_name" : "rh-dotnet21-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:2.1" }, { "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux", "fix_state" : "Not affected", "package_name" : "rh-dotnet31-curl", "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "httpd24-curl", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8285\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8285\nhttps://curl.se/docs/CVE-2020-8285.html\nhttps://github.com/curl/curl/issues/6255" ], "name" : "CVE-2020-8285", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }