CVE-2020-8284

Name of the Vulnerable Software and Affected Versions curl versions 7.73.0 and earlier

Description A malicious server can use the FTP PASV response to trick curl into connecting back to a given IP address and port, potentially making curl extract information about services that are otherwise private and not disclosed. This could allow for port scanning and service banner extractions. The issue arises when curl performs a passive FTP transfer, first trying the EPSV command and falling back to PASV if not supported. A server response to a PASV command includes the address and port number for the client to connect back to, which a malicious server can exploit.

Recommendations For curl versions 7.73.0 and earlier, consider updating to a version with improved checks to address this issue. As a temporary workaround, restrict the use of curl with untrusted FTP servers to minimize the risk of exploitation. Avoid using curl with URLs provided by untrusted users to prevent potential attacks.