The vulnerability of the software for interacting with servers via curl exists due to a logical error in processing the Content-Disposition header of HTTP responses. This allows an attacker to re-write local files.

🗓️ 09 Jul 2020 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 3 Views

Remote attacker can rewrite files via curl software due to a logic error in Content-Disposition header handling.

Reporter	Title	Published	Views	Family All 238
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities	15 Apr 202221:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	27 Jan 202123:48	–	ibm
IBM Security Bulletins	Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs	19 Oct 202115:38	–	ibm
IBM Security Bulletins	Security Bulletin: cURL vulnerabilities CVE-2020-8169 CVE-2020-8177 impact IBM Aspera Streaming/IBM Aspera Streaming for Video version 3.9.6.1 and earlier	8 Dec 202018:50	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Private is vulnerable to cURL vulnerabilities (CVE-2020-8169, CVE-2020-8177)	26 Feb 202113:18	–	ibm
IBM Security Bulletins	Security Bulletin: cURL vulnerabilities CVE-2020-8169 CVE-2020-8177 impact IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier and Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier	11 Dec 202018:03	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities	3 Dec 202118:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to Using Components with Known Vulnerabilities	30 Oct 202016:18	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8169, CVE-2020-8177)	23 Oct 202020:38	–	ibm
FreeBSD	curl -- multiple vulnerabilities	24 Jun 202000:00	–	freebsd

Vulners

Node

novell suse_openstack_cloudMatch7

OR

novell suse_enterprise_storageMatch5

OR

novell suse_openstack_cloudMatch8

OR

novell hpe_helion_openstackMatch8

OR

novell suse_linux_enterprise_high_performance_computingMatch15-espos

OR

novell suse_linux_enterprise_high_performance_computingMatch15-ltss

OR

daniel_stenberg curlRange<7.71.0

OR

red_hat red_hat_enterprise_linuxMatch8

OR

novell opensuse_leapMatch15.1

OR

novell suse_linux_enterprise_server_for_sap_applicationsMatch15

OR

novell suse_linux_enterprise_serverMatch11-security

OR

novell suse_linux_enterprise_server_for_sap_applicationsMatch11-security

OR

canonical ubuntuMatch19.10

OR

novell suse_linux_enterprise_serverMatch15-ltss

OR

novell opensuse_leapMatch15.2

Source	Link
access	www.access.redhat.com/security/cve/cve-2020-8177
curl	www.curl.haxx.se/docs/CVE-2020-8177.html
github	www.github.com/curl/curl/commit/80675818e0417be8c991513b328c5507e93b47e5
security-tracker	www.security-tracker.debian.org/tracker/CVE-2020-8177
strelets	www.strelets.net/patchi-i-obnovleniya-bezopasnosti
ubuntu	www.ubuntu.com/security/notices/USN-4402-1
opennet	www.opennet.ru/opennews/art.shtml
suse	www.suse.com/security/cve/CVE-2020-8177/
whitesourcesoftware	www.whitesourcesoftware.com/vulnerability-database/CVE-2020-8177
wiki	www.wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17

16 Sep 2024 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 25

CVSS 35.3

EPSS0.01236

Content-Disoosition header remote attacker rewrite local files curl software