Vulnerability CVE-2020-8169

Vulnerability Name:

CVE-2020-8169 (CCN-183930)

Assigned:

2020-06-24

Published:

2020-06-24

Updated:

2022-04-19

Summary:

curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-8169

Source: CONFIRM
Type: Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: CCN
Type: Project curl Security Advisory, June 24th 2020
Partial password leak over DNS on HTTP redirect

Source: MISC
Type: Vendor Advisory
https://curl.se/docs/CVE-2020-8169.html

Source: XF
Type: UNKNOWN
libcurl-cve20208169-info-disc(183930)

Source: MISC
Type: Exploit, Third Party Advisory
https://hackerone.com/reports/874778

Source: DEBIAN
Type: Third Party Advisory
DSA-4881

Source: CCN
Type: IBM Security Bulletin 6353035 (PowerSC)
Vulnerabilities in Curl affect PowerSC (CVE-2020-8169, CVE-2020-8177)

Source: CCN
Type: IBM Security Bulletin 6379792 (Aspera Streaming)
cURL vulnerabilities CVE-2020-8169 CVE-2020-8177 impact IBM Aspera Streaming/IBM Aspera Streaming for Video version 3.9.6.1 and earlier

Source: CCN
Type: IBM Security Bulletin 6381376 (Aspera High-Speed Transfer Server)
cURL vulnerabilities CVE-2020-8169 CVE-2020-8177 impact IBM Aspera High-Speed Transfer Server 3.9.6.2 and earlier and Aspera High-Speed Transfer Endpoint 3.9.6.2 and earlier

Source: CCN
Type: IBM Security Bulletin 6409294 (Security QRadar Analyst Workflow)
IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6417375 (Cloud Private)
IBM Cloud Private is vulnerable to cURL vulnerabilities (CVE-2020-8169, CVE-2020-8177)

Vulnerable Configuration:

Configuration 1:

cpe:/a:haxx:curl:*:*:*:*:*:*:*:* (Version >= 7.62.0 and <= 7.70.0)

Configuration 2:

cpe:/o:siemens:simatic_tim_1531_irc_firmware:*:*:*:*:*:*:*:* (Version < 2.2)

AND

cpe:/h:siemens:simatic_tim_1531_irc:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

Configuration CCN 1:

cpe:/a:curl:libcurl:7.62.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20208169	V	CVE-2020-8169	2023-06-22
oval:org.opensuse.security:def:7476	P	curl-8.0.1-150400.5.23.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3207	P	liblzo2-2-2.08-1.13 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3180	P	libgraphite2-3-1.3.1-10.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3269	P	libtirpc-netconfig-1.0.1-17.13.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3257	P	libspice-client-glib-2_0-8-0.33-3.6.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3271	P	libudisks2-0-2.1.3-3.5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3159	P	libblkid1-2.33.2-2.13 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3218	P	libnghttp2-14-1.7.1-1.84 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3272	P	libunwind-1.1-11.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3199	P	libkpathsea6-6.2.0dev-22.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3166	P	libdmx1-1.1.3-3.51 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3248	P	librelp0-1.2.12-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3154	P	libapr1-1.5.1-4.5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3275	P	libvdpau1-1.1.1-6.73 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:2902	P	curl-7.79.1-150400.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94532	P	curl-7.79.1-150400.3.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94977	P	libxkbregistry-devel-1.3.0-150400.1.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:38	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:1819	P	Security update for MozillaThunderbird (Important)	2022-03-21
oval:org.opensuse.security:def:1818	P	Security update for libreoffice (Moderate)	2022-03-17
oval:org.opensuse.security:def:967	P	Security update for python-libxml2-python (Important)	2022-03-10
oval:org.opensuse.security:def:101690	P	Security update for containerd (Moderate)	2022-03-04
oval:org.opensuse.security:def:112133	P	curl-7.79.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64832	P	Security update for the Linux Kernel (Important) (in QA)	2022-01-07
oval:org.opensuse.security:def:73757	P	Security update for python-pip (Moderate)	2021-12-13
oval:org.opensuse.security:def:105669	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:66983	P	Security update for postgresql14 (Important)	2021-11-22
oval:org.opensuse.security:def:64583	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:73878	P	Security update for gstreamer-plugins-good (Moderate)	2021-09-02
oval:org.opensuse.security:def:48335	P	vorbis-tools-1.4.0-26.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48336	P	vsftpd-3.0.2-40.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48351	P	xscreensaver-5.22-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:66891	P	Security update for SUSE Manager Client Tools (Moderate)	2021-08-12
oval:org.opensuse.security:def:63355	P	libwsman-devel-2.6.7-3.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101069	P	python3-targetcli-fb-2.1.53-1.12 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62056	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71797	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100814	P	curl-7.66.0-4.14.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:73674	P	Security update for webkit2gtk3 (Important)	2021-08-03
oval:org.opensuse.security:def:67187	P	Security update for the Linux Kernel (Important)	2021-07-20
oval:org.opensuse.security:def:64724	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:64725	P	Security update for the Linux Kernel (Important)	2021-06-28
oval:org.opensuse.security:def:70435	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:64719	P	Security update for wireshark (Important)	2021-06-22
oval:org.opensuse.security:def:48473	P	libXt6-1.1.4-3.57 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70234	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:48899	P	empathy-3.12.13-8.3.28 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48669	P	finch-2.10.9-5.15 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48806	P	libvdpau1-32bit-1.1.1-6.73 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:67092	P	Security update for avahi (Moderate)	2021-05-04
oval:org.opensuse.security:def:70543	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:70339	P	Security update for openvswitch (Important)	2021-02-11
oval:org.opensuse.security:def:1823	P	openldap2-devel-32bit-2.4.46-9.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1844	P	apache-pdfbox-1.8.16-1.68 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3926	P	krb5-devel-1.12.5-40.37.7 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1841	P	FastCGI-2.4.0-2.23 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63149	P	dpdk-17.11.2-1.27 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1832	P	perl-Tk-devel-804.034-1.44 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63136	P	clamsap-0.99.25-2.37 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1828	P	perl-DNS-LDNS-1.7.0-2.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1820	P	ncurses-devel-32bit-6.1-5.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1839	P	xorg-x11-server-sdk-1.20.3-12.29 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2483	P	enigmail-2.0.9-3.13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1845	P	binutils-devel-32bit-2.32-7.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2487	P	gnome-online-accounts-3.26.2-3.34 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63141	P	apache2-mod_jk-1.2.43-1.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49050	P	python-devel-2.7.13-28.31.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1829	P	perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-10.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63177	P	qemu-2.11.1-7.5 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3913	P	gstreamer-plugins-bad-devel-1.8.3-17.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49691	P	libraptor-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50436	P	Security update for polkit (Important)	2020-12-01
oval:org.opensuse.security:def:73556	P	apache2-mod_security2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50946	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:63864	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64934	P	Security update for spectre-meltdown-checker (Moderate)	2020-12-01
oval:org.opensuse.security:def:49271	P	libzypp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50866	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:49590	P	perl-File-Path on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50177	P	argyllcms on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:65000	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:50923	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:65122	P	Security update for mgetty (Moderate)	2020-12-01
oval:org.opensuse.security:def:49819	P	bouncycastle on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50680	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:52296	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:49671	P	libjasper-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51020	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:64019	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:49422	P	libXi6-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52358	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:49357	P	xdg-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49672	P	libjbig2-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50277	P	Security update for webkit2gtk3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:49487	P	python3-cupshelpers on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63658	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:75067	P	Security update for libvirt (Important)	2020-12-01
oval:org.opensuse.security:def:49518	P	gnome-online-accounts-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50026	P	postgresql-contrib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50847	P	Security update for apache-commons-httpclient (Important)	2020-12-01
oval:org.opensuse.security:def:50773	P	Security update for mozilla-nss (Moderate)	2020-12-01
oval:org.opensuse.security:def:75204	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:64250	P	file on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50914	P	Security update for ruby2.5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:94356	P	(Moderate)	2020-11-17
oval:org.opensuse.security:def:110941	P	Security update for curl (Important)	2020-06-27
oval:org.opensuse.security:def:117250	P	Security update for curl (Important)	2020-06-24
oval:org.opensuse.security:def:108356	P	Security update for curl (Important)	2020-06-24
oval:org.opensuse.security:def:99870	P	(Important)	2020-06-24
oval:org.opensuse.security:def:107735	P	Security update for curl (Important)	2020-06-24
oval:org.opensuse.security:def:75586	P	Security update for curl (Important)	2020-06-24

BACK