VuXML ID | Description |
02e33cd1-c655-11ee-8613-08002784c58d | curl -- OCSP verification bypass with TLS session reuse
Hiroki Kurosawa reports:
curl inadvertently kept the SSL session ID for connections
in its cache even when the verify status (OCSP stapling)
test failed. A subsequent transfer to the same hostname
could then succeed if the session ID cache was still
fresh, which then skipped the verify status check.
Discovery 2024-01-31 Entry 2024-02-28 curl
< 8.6.0
CVE-2024-0853
https://curl.se/docs/CVE-2024-0853.html
|
0d7d104c-c6fb-11ed-8a4b-080027f5fec9 | curl -- multiple vulnerabilities
Harry Sintonen reports:
- CVE-2023-27533
-
curl supports communicating using the TELNET protocol
and as a part of this it offers users to pass on user
name and "telnet options" for the server
negotiation.
Due to lack of proper input scrubbing and without it
being the documented functionality, curl would pass on
user name and telnet options to the server as
provided. This could allow users to pass in carefully
crafted content that pass on content or do option
negotiation without the application intending to do
so. In particular if an application for example allows
users to provide the data or parts of the data.
- CVE-2023-27534
-
curl supports SFTP transfers. curl's SFTP implementation
offers a special feature in the path component of URLs:
a tilde (~) character as the first path element in the
path to denotes a path relative to the user's home
directory. This is supported because of wording in the
once proposed to-become RFC draft that was to dictate
how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did
however not only replace it when it is used stand-alone
as the first path element but also wrongly when used as
a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using
the user dan (with home directory /home/dan) would then
quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering
or worse.
- CVE-2023-27535
-
libcurl would reuse a previously created FTP connection
even when one or more options had been changed that
could have made the effective user a very different one,
thus leading to the doing the second transfer with wrong
credentials.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, several FTP settings
were left out from the configuration match checks,
making them match too easily. The settings in questions
are CURLOPT_FTP_ACCOUNT,
CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and
CURLOPT_USE_SSL level.
- CVE-2023-27536
-
ibcurl would reuse a previously created connection even
when the GSS delegation (CURLOPT_GSSAPI_DELEGATION)
option had been changed that could have changed the
user's permissions in a second transfer.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, this GSS delegation
setting was left out from the configuration match
checks, making them match too easily, affecting
krb5/kerberos/negotiate/GSSAPI transfers.
- CVE-2023-27537
-
libcurl supports sharing HSTS data between separate
"handles". This sharing was introduced without
considerations for do this sharing across separate
threads but there was no indication of this fact in the
documentation.
Due to missing mutexes or thread locks, two threads
sharing the same HSTS data could end up doing a
double-free or use-after-free.
- CVE-2023-27538
-
libcurl would reuse a previously created connection even
when an SSH related option had been changed that should
have prohibited reuse.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, two SSH settings
were left out from the configuration match checks,
making them match too easily.
Discovery 2023-03-20 Entry 2023-03-20 curl
< 8.0.0
CVE-2023-27533
CVE-2023-27534
CVE-2023-27535
CVE-2023-27536
CVE-2023-27537
CVE-2023-27538
https://curl.se/docs/security.html
|
833b469b-5247-11ee-9667-080027f5fec9 | curl -- HTTP headers eat all memory
selmelc on hackerone reports:
When curl retrieves an HTTP response, it stores the
incoming headers so that they can be accessed later via
the libcurl headers API.
However, curl did not have a limit in how many or how
large headers it would accept in a response, allowing a
malicious server to stream an endless series of headers
and eventually cause curl to run out of heap memory.
Discovery 2023-09-13 Entry 2023-09-13 curl
< 8.3.0
CVE-2023-38039
https://curl.se/docs/CVE-2023-38039.html HERE
|
be233fc6-bae7-11ed-a4fb-080027f5fec9 | curl -- multiple vulnerabilities
Harry Sintonen and Patrick Monnerat report:
- CVE-2023-23914
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality fail when multiple URLs are
requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure
clear-text HTTP step even when HTTP is provided in the
URL. This HSTS mechanism would however surprisingly be
ignored by subsequent transfers when done on the same
command line because the state would not be properly
carried on.
- CVE-2023-23915
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality to behave incorrectly when
multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of
using an insecure clear-text HTTP step even when HTTP is
provided in the URL. This HSTS mechanism would however
surprisingly fail when multiple transfers are done in
parallel as the HSTS cache file gets overwritten by the
most recently completed transfer. A later HTTP-only
transfer to the earlier host name would then *not* get
upgraded properly to HSTS.
- CVE-2023-23916
-
An allocation of resources without limits or throttling
vulnerability exists in curl < v7.88.0 based on the
"chained" HTTP compression algorithms, meaning
that a server response can be compressed multiple times
and potentially with different algorithms. The number of
acceptable "links" in this "decompression
chain" was capped, but the cap was implemented on a
per-header basis allowing a malicious server to insert a
virtually unlimited number of compression steps simply
by using many headers. The use of such a decompression
chain could result in a "malloc bomb", making
curl end up spending enormous amounts of allocated heap
memory, or trying to and returning out of memory errors.
Discovery 2023-02-15 Entry 2023-03-05 curl
< 7.88.0
CVE-2023-23914
CVE-2023-23915
CVE-2023-23916
https://curl.se/docs/security.html
|
d6c19e8c-6806-11ee-9464-b42e991fc52e | curl -- SOCKS5 heap buffer overflow
The curl team reports:
This flaw makes curl overflow a heap based buffer in the
SOCKS5 proxy handshake. When curl is asked to pass along
the hostname to the SOCKS5 proxy to allow that to resolve
the address instead of it getting done by curl itself, the
maximum length that hostname can be is 255 bytes. If the
hostname is detected to be longer than 255 bytes, curl
switches to local name resolving and instead passes on the
resolved address only to the proxy. Due to a bug, the
local variable that means "let the host resolve the name"
could get the wrong value during a slow SOCKS5 handshake,
and contrary to the intention, copy the too long hostname
to the target buffer instead of copying just the resolved
address there.
Discovery 2023-09-30 Entry 2023-10-11 Modified 2023-10-11 curl
gt 7.69.0 lt 8.4.0
cmake-core
< 3.27.8
CVE-2023-38545
https://curl.se/docs/CVE-2023-38545.html
|
a4f8bb03-f52f-11ed-9859-080027083a05 | curl -- multiple vulnerabilities
Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:
This update fixes 4 security vulnerabilities:
- Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
- Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
- Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
- Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19
Discovery 2023-03-21 Entry 2023-05-19 curl
< 8.1.0
CVE-2023-28319
https://curl.se/docs/CVE-2023-28319.html
CVE-2023-28320
https://curl.se/docs/CVE-2023-28320.html
CVE-2023-28321
https://curl.se/docs/CVE-2023-28321.html
CVE-2023-28322
https://curl.se/docs/CVE-2023-28322.html
|