Alpine: multiple curl packages, libcurl: security update to 7.73.0-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400331

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to
a given IP address and port, and this way potentially make curl extract information about services that
are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
(CVE-2020-8284)

- curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue
in FTP wildcard match parsing. (CVE-2020-8285)

- curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to
insufficient verification of the OCSP response. (CVE-2020-8286)

See Also

https://git.alpinelinux.org/aports/commit/?id=5e99749a7f3164ed0366c65992b236e7d034245a

https://git.alpinelinux.org/aports/commit/?id=a2da5d177a121c47684eb9ee6e49351cdaeae06b

Plugin Details

Severity: High

ID: 400331

Version: Revision 1.27

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-8286

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/9/2020

Vulnerability Publication Date: 12/9/2020

Reference Information

CVE: CVE-2020-8284, CVE-2020-8285, CVE-2020-8286

IAVA: 2020-A-0581