CVE-2020-8177
curl: Incorrect argument check can allow remote servers to overwrite local files
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
curl versiones 7.20.0 hasta 7.70.0, es vulnerable a una restricción inapropiada de nombres para archivos y otros recursos que pueden conllevar a sobrescribir demasiado un archivo local cuando el flag -J es usado
A flaw was found in curl. Overwriting local files is possible when using a certain combination of command line options. Requesting content from a malicious server could lead to overwriting local files with compromised files leading to unknown effects. The highest threat from this vulnerability is to file integrity.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-01-28 CVE Reserved
- 2020-06-24 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
CAPEC
References (7)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://hackerone.com/reports/887462 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | 2024-03-27 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2024-03-27 |
| URL | Date | SRC |
|---|---|---|
| https://curl.se/docs/CVE-2020-8177.html | 2024-03-27 | |
| https://www.debian.org/security/2021/dsa-4881 | 2024-03-27 | |
| https://access.redhat.com/security/cve/CVE-2020-8177 | 2021-03-22 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1847915 | 2021-03-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fujitsu Search vendor "Fujitsu" | M10-1 Firmware Search vendor "Fujitsu" for product "M10-1 Firmware" | < xcp2410 Search vendor "Fujitsu" for product "M10-1 Firmware" and version " < xcp2410" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M10-1 Search vendor "Fujitsu" for product "M10-1" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M10-4 Firmware Search vendor "Fujitsu" for product "M10-4 Firmware" | < xcp2410 Search vendor "Fujitsu" for product "M10-4 Firmware" and version " < xcp2410" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M10-4 Search vendor "Fujitsu" for product "M10-4" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M10-4s Firmware Search vendor "Fujitsu" for product "M10-4s Firmware" | < xcp2410 Search vendor "Fujitsu" for product "M10-4s Firmware" and version " < xcp2410" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M10-4s Search vendor "Fujitsu" for product "M10-4s" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M12-1 Firmware Search vendor "Fujitsu" for product "M12-1 Firmware" | < xcp2410 Search vendor "Fujitsu" for product "M12-1 Firmware" and version " < xcp2410" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M12-1 Search vendor "Fujitsu" for product "M12-1" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M12-2 Firmware Search vendor "Fujitsu" for product "M12-2 Firmware" | < xcp2410 Search vendor "Fujitsu" for product "M12-2 Firmware" and version " < xcp2410" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M12-2 Search vendor "Fujitsu" for product "M12-2" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M12-2s Firmware Search vendor "Fujitsu" for product "M12-2s Firmware" | < xcp2410 Search vendor "Fujitsu" for product "M12-2s Firmware" and version " < xcp2410" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M12-2s Search vendor "Fujitsu" for product "M12-2s" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M10-1 Firmware Search vendor "Fujitsu" for product "M10-1 Firmware" | < xcp3110 Search vendor "Fujitsu" for product "M10-1 Firmware" and version " < xcp3110" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M10-1 Search vendor "Fujitsu" for product "M10-1" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M10-4 Firmware Search vendor "Fujitsu" for product "M10-4 Firmware" | < xcp3110 Search vendor "Fujitsu" for product "M10-4 Firmware" and version " < xcp3110" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M10-4 Search vendor "Fujitsu" for product "M10-4" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M10-4s Firmware Search vendor "Fujitsu" for product "M10-4s Firmware" | < xcp3110 Search vendor "Fujitsu" for product "M10-4s Firmware" and version " < xcp3110" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M10-4s Search vendor "Fujitsu" for product "M10-4s" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M12-1 Firmware Search vendor "Fujitsu" for product "M12-1 Firmware" | < xcp3110 Search vendor "Fujitsu" for product "M12-1 Firmware" and version " < xcp3110" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M12-1 Search vendor "Fujitsu" for product "M12-1" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M12-2 Firmware Search vendor "Fujitsu" for product "M12-2 Firmware" | < xcp3110 Search vendor "Fujitsu" for product "M12-2 Firmware" and version " < xcp3110" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M12-2 Search vendor "Fujitsu" for product "M12-2" | - | - |
Safe
|
| Fujitsu Search vendor "Fujitsu" | M12-2s Firmware Search vendor "Fujitsu" for product "M12-2s Firmware" | < xcp3110 Search vendor "Fujitsu" for product "M12-2s Firmware" and version " < xcp3110" | - |
Affected
| in | Fujitsu Search vendor "Fujitsu" | M12-2s Search vendor "Fujitsu" for product "M12-2s" | - | - |
Safe
|
| Haxx Search vendor "Haxx" | Curl Search vendor "Haxx" for product "Curl" | >= 7.20.0 <= 7.70.0 Search vendor "Haxx" for product "Curl" and version " >= 7.20.0 <= 7.70.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services" | < 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1" | - |
Affected
| ||||||
| Splunk Search vendor "Splunk" | Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder" | >= 8.2.0 < 8.2.12 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 8.2.0 < 8.2.12" | - |
Affected
| ||||||
| Splunk Search vendor "Splunk" | Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder" | >= 9.0.0 < 9.0.6 Search vendor "Splunk" for product "Universal Forwarder" and version " >= 9.0.0 < 9.0.6" | - |
Affected
| ||||||
| Splunk Search vendor "Splunk" | Universal Forwarder Search vendor "Splunk" for product "Universal Forwarder" | 9.1.0 Search vendor "Splunk" for product "Universal Forwarder" and version "9.1.0" | - |
Affected
| ||||||