This issue has existed in curl for as long as FTP has been supported, since day 1. The flaw only exists for IPv4 since PASV doesn't work for IPv6 and curl will prefer EPSV. The passive mode setup for FTP is used for both uploads and downloads. curl can be built without FTP support and applications can explicitly disable FTP for single transfers. curl users could already mitigate this flaw with CURLOPT_FTP_SKIP_PASV_IP and --ftp-skip-pasv-ip. https://curl.se/docs/CVE-2020-8284.html CREATE(Triage):(User=admin) [CVE-2020-8284|https://nvd.nist.gov/vuln/detail/CVE-2020-8284]
