CVE-2020-8284

Name: CVE-2020-8284
Creator: NVD / NIST
Published: 2020-12-14T20:15:13.903+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 3.7/10EPSS 3.85%

Last modified Jun 17, 2026

CVE-2020-8284 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.. EPSS estimates a 3.85% chance of exploitation in the next 30 days.

Description

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Metrics

CVSS 3.1

3.7/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

3.85%

88.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions	Update
Haxx	Curl	<= 7.73.0	—
Fedoraproject	Fedora	32	—
Fedoraproject	Fedora	33	—
Debian	Debian Linux	9.0	—
Debian	Debian Linux	10.0	—
Netapp	Clustered Data Ontap	All versions	—
Netapp	Hci Management Node	All versions	—
Netapp	Solidfire	All versions	—
Netapp	Hci Storage Node	All versions	—
Netapp	Hci Bootstrap Os	All versions	—
Apple	Mac Os X	>= 10.14.0, < 10.14.6	—
Apple	Mac Os X	>= 10.15, < 10.15.7	—
Apple	Mac Os X	10.14.6	Security Update 2019-001
Apple	Mac Os X	10.15.7	—
Apple	Macos	11.0.1	—
Apple	Macos	11.1	—
Apple	Macos	11.2	—
Oracle	Communications Billing And Revenue Management	12.0.0.3.0	—
Oracle	Communications Cloud Native Core Policy	1.14.0	—
Oracle	Essbase	21.2	—
Oracle	Peoplesoft Enterprise Peopletools	8.58	—
Fujitsu	M10-1 Firmware	< xcp2410	—
Fujitsu	M10-4 Firmware	< xcp2410	—
Fujitsu	M10-4s Firmware	< xcp2410	—
Fujitsu	M12-1 Firmware	< xcp2410	—
Fujitsu	M12-2 Firmware	< xcp2410	—
Fujitsu	M12-2s Firmware	< xcp2410	—
Fujitsu	M10-1 Firmware	< xcp3110	—
Fujitsu	M10-4 Firmware	< xcp3110	—
Fujitsu	M10-4s Firmware	< xcp3110	—
Fujitsu	M12-1 Firmware	< xcp3110	—
Fujitsu	M12-2 Firmware	< xcp3110	—
Fujitsu	M12-2s Firmware	< xcp3110	—
Siemens	Sinec Infrastructure Network Services	< 1.0.1.1	—
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12	—
Splunk	Universal Forwarder	>= 9.0.0, < 9.0.6	—
Splunk	Universal Forwarder	9.1.0	—

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch, Third Party Advisory
https://curl.se/docs/CVE-2020-8284.htmlVendor Advisory
https://hackerone.com/reports/1040166Permissions Required
https://lists.debian.org/debian-lts-announce/2020/12/msg00029.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202012-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/Third Party Advisory
https://support.apple.com/kb/HT212325Third Party Advisory
https://support.apple.com/kb/HT212326Third Party Advisory
https://support.apple.com/kb/HT212327Third Party Advisory
https://www.debian.org/security/2021/dsa-4881Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatch, Third Party Advisory
https://curl.se/docs/CVE-2020-8284.htmlVendor Advisory
https://hackerone.com/reports/1040166Permissions Required
https://lists.debian.org/debian-lts-announce/2020/12/msg00029.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202012-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/Third Party Advisory
https://support.apple.com/kb/HT212325Third Party Advisory
https://support.apple.com/kb/HT212326Third Party Advisory
https://support.apple.com/kb/HT212327Third Party Advisory
https://www.debian.org/security/2021/dsa-4881Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory

Timeline

Published: Dec 14, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-8284?

How severe is CVE-2020-8284?

CVE-2020-8284 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 3.85% probability of exploitation in the next 30 days.

How do I fix CVE-2020-8284?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-8284?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST