snowflakedb/libsnowflakeclient

SNOW-301849: CVE-2020-8285 (High) detected in curlcurl-7_68_0

Closed this issue · 0 comments

CVE-2020-8285 - High Severity Vulnerability

Vulnerable Library - curlcurl-7_68_0

A command line tool and library for transferring data with URL syntax, supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features

Library home page: https://github.com/bagder/curl.git

Found in HEAD commit: 5b110184c4e8c439495907c7d1359fe4eb4f8a6c

Found in base branch: master

Vulnerable Source Files (2)

libsnowflakeclient/deps/curl-7.68.0/lib/ftp.c
libsnowflakeclient/deps/curl-7.68.0/lib/ftp.c

Vulnerability Details

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

Publish Date: 2020-12-14

URL: CVE-2020-8285

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://curl.se/docs/CVE-2020-8285.html

Release Date: 2020-07-21

Fix Resolution: 7.74.0