PublicDateAtUSN: 2020-12-09 08:00:00 UTC
Candidate: CVE-2020-8284
CRD: 2020-12-09 08:00:00 UTC
PublicDate: 2020-12-14 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8284
 https://curl.se/docs/CVE-2020-8284.html
 https://ubuntu.com/security/notices/USN-4665-1
 https://ubuntu.com/security/notices/USN-4665-2
Description:
 A malicious server can use the FTP PASV response to trick curl 7.73.0 and
 earlier into connecting back to a given IP address and port, and this way
 potentially make curl extract information about services that are otherwise
 private and not disclosed, for example doing port scanning and service
 banner extractions.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by: Varnavas Papaioannou
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [3.7 LOW]


Patches_curl:
 upstream: https://github.com/curl/curl/commit/ec9cc725d598ac
upstream_curl: released (7.74.0)
precise/esm_curl: released (7.22.0-3ubuntu4.29)
trusty_curl: ignored (out of standard support)
trusty/esm_curl: released (7.35.0-1ubuntu2.20+esm6)
xenial_curl: released (7.47.0-1ubuntu2.18)
esm-infra/xenial_curl: released (7.47.0-1ubuntu2.18)
bionic_curl: released (7.58.0-2ubuntu3.12)
focal_curl: released (7.68.0-1ubuntu2.4)
groovy_curl: released (7.68.0-1ubuntu4.2)
devel_curl: released (7.74.0-1ubuntu1)