CVE-2020-8284 - log back

CVE-2020-8284 edited at 09 Dec 2020 10:08:42
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ A security issue was found in curl versions 4.0 up to and including 7.73.0. When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default. A server response to a PASV command includes the (IPv4) address and port number for the client to connect back to in order to perform the actual data transfer. This is how the FTP protocol is designed to work. A malicious server can use the PASV response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user (which by all means is an unwise setup), a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.
References
+ https://curl.se/docs/CVE-2020-8284.html
+ https://github.com/curl/curl/commit/ec9cc725d598ac77de7b6df8afeec292b3c8ad46
Notes
+ Workaround
+ ==========
+
+ The issue can be mitigated by setting CURLOPT_FTP_SKIP_PASV_IP to 1L or using --ftp-skip-pasv-ip.
CVE-2020-8284 created at 09 Dec 2020 10:01:08