CVE-2020-8177 log

Severity High
Remote Yes
Type Arbitrary file overwrite
An issue has been found in curl from 7.20.0 upto and including 7.70.0, which can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--head) in the same command line. When curl -J is used it doesn’t work together with -i and there’s a check that prevents it from getting used. The check was flawed and could be circumvented, which the effect that a server that provides a file name in a Content-Disposition: header could overwrite a local file, since the check for an existing local file was done in the code for receiving a body – as -i wasn’t supposed to work
Group Package Affected Fixed Severity Status Ticket
AVG-1194 curl 7.70.0-1 7.71.0-1 High Fixed