VuXML ID | Description |
c8c31c41-49ed-11df-83fb-0015587e2cc1 | curl -- libcurl buffer overflow vulnerability
The cURL project reports in a security advisory:
Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.
An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.
Discovery 2010-02-09 Entry 2010-04-19 curl
>= 7.10.5 lt 7.20.0
CVE-2010-0734
http://curl.haxx.se/docs/adv_20100209.html
http://www.debian.org/security/2010/dsa-2023
http://www.openwall.com/lists/oss-security/2010/02/09/5
|
833b469b-5247-11ee-9667-080027f5fec9 | curl -- HTTP headers eat all memory
selmelc on hackerone reports:
When curl retrieves an HTTP response, it stores the
incoming headers so that they can be accessed later via
the libcurl headers API.
However, curl did not have a limit in how many or how
large headers it would accept in a response, allowing a
malicious server to stream an endless series of headers
and eventually cause curl to run out of heap memory.
Discovery 2023-09-13 Entry 2023-09-13 curl
< 8.3.0
CVE-2023-38039
https://curl.se/docs/CVE-2023-38039.html HERE
|
04fe6c8d-2a34-4009-a81e-e7a7e759b5d2 | cURL -- multiple vulnerabilities
cURL security problems:
CVE-2018-1000300: FTP shutdown response buffer overflow
curl might overflow a heap based memory buffer when closing down an
FTP connection with very long server command replies.
When doing FTP transfers, curl keeps a spare "closure handle" around
internally that will be used when an FTP connection gets shut down
since the original curl easy handle is then already removed.
FTP server response data that gets cached from the original transfer
might then be larger than the default buffer size (16 KB) allocated in
the "closure handle", which can lead to a buffer overwrite. The
contents and size of that overwrite is controllable by the server.
This situation was detected by an assert() in the code, but that was
of course only preventing bad stuff in debug builds. This bug is very
unlikely to trigger with non-malicious servers.
We are not aware of any exploit of this flaw.
CVE-2018-1000301: RTSP bad headers buffer over-read
curl can be tricked into reading data beyond the end of a heap based
buffer used to store downloaded content.
When servers send RTSP responses back to curl, the data starts out
with a set of headers. curl parses that data to separate it into a
number of headers to deal with those appropriately and to find the end
of the headers that signal the start of the "body" part.
The function that splits up the response into headers is called
Curl_http_readwrite_headers() and in situations where it can't find a
single header in the buffer, it might end up leaving a pointer pointing
into the buffer instead of to the start of the buffer which then later
on may lead to an out of buffer read when code assumes that pointer
points to a full buffer size worth of memory to use.
This could potentially lead to information leakage but most likely a
crash/denial of service for applications if a server triggers this flaw.
We are not aware of any exploit of this flaw.
Discovery 2018-05-16 Entry 2018-05-16 curl
< 7.60.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/adv_2018-82c2.html
https://curl.haxx.se/docs/adv_2018-b138.html
CVE-2018-1000300
CVE-2018-1000301
|
6294f75f-03f2-11e5-aab1-d050996490d0 | cURL -- multiple vulnerabilities
cURL reports:
libcurl keeps a pool of its last few connections around
after use to facilitate easy, convenient, and completely
transparent connection re-use for applications.
When doing HTTP requests NTLM authenticated, the entire
connection becomes authenticated and not just the
specific HTTP request which is otherwise how HTTP works.
This makes NTLM special and a subject for special
treatment in the code. With NTLM, once the connection is
authenticated, no further authentication is necessary until
the connection gets closed.
When doing HTTP requests Negotiate authenticated, the
entire connection may become authenticated and not just
the specific HTTP request which is otherwise how HTTP
works, as Negotiate can basically use NTLM under the hood.
curl was not adhering to this fact but would assume that
such requests would also be authenticated per request.
libcurl supports HTTP "cookies" as documented in RFC 6265.
Together with each individual cookie there are several
different properties, but for this vulnerability we
focus on the associated "path" element. It tells
information about for which path on a given host the
cookies is valid.
The internal libcurl function called sanitize_cookie_path()
that cleans up the path element as given to it from a
remote site or when read from a file, did not properly
validate the input. If given a path that consisted of a
single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero
to it, thus destroying heap memory it wasn't supposed to.
There is a private function in libcurl called fix_hostname()
that removes a trailing dot from the host name if there is
one. The function is called after the host name has been
extracted from the URL libcurl has been told to act on.
If a URL is given with a zero-length host name, like in
"http://:80" or just ":80", fix_hostname() will index the
host name pointer with a -1 offset (as it blindly assumes
a non-zero length) and both read and assign that address.
Discovery 2015-04-22 Entry 2015-05-26 curl
< 7.42.0
http://curl.haxx.se/docs/adv_20150422A.html
http://curl.haxx.se/docs/adv_20150422B.html
http://curl.haxx.se/docs/adv_20150422C.html
http://curl.haxx.se/docs/adv_20150422D.html
CVE-2014-3143
CVE-2014-3144
CVE-2014-3145
CVE-2014-3148
|
0f99a30c-7b4b-11ed-9168-080027f5fec9 | curl -- multiple vulnerabilities
Daniel Stenberg reports:
- CVE-2022-32221: POST following PUT confusion
-
When doing HTTP(S) transfers, libcurl might erroneously
use the read callback
(
CURLOPT_READFUNCTION ) to ask for data to
send, even when the CURLOPT_POSTFIELDS
option has been set, if the same handle previously was
used to issue a PUT request which used that
callback. This flaw may surprise the application and
cause it to misbehave and either send off the wrong data
or use memory after free or similar in the subsequent
POST request. The problem exists in the
logic for a reused handle when it is changed from a PUT
to a POST.
- CVE-2022-35260: .netrc parser out-of-bounds access
-
curl can be told to parse a .netrc file for
credentials. If that file ends in a line with
consecutive non-white space letters and no newline, curl
could read past the end of the stack-based buffer, and
if the read works, write a zero byte possibly beyond its
boundary. This will in most cases cause a segfault or
similar, but circumstances might also cause different
outcomes. If a malicious user can provide a custom netrc
file to an application or otherwise affect its contents,
this flaw could be used as denial-of-service.
- CVE-2022-42915: HTTP proxy double-free
-
f curl is told to use an HTTP proxy for a transfer with
a non-HTTP(S) URL, it sets up the connection to the
remote server by issuing a CONNECT request to the proxy,
and then tunnels the rest of protocol through. An HTTP
proxy might refuse this request (HTTP proxies often only
allow outgoing connections to specific port numbers,
like 443 for HTTPS) and instead return a non-200
response code to the client. Due to flaws in the
error/cleanup handling, this could trigger a double-free
in curl if one of the following schemes were used in the
URL for the transfer: dict, gopher, gophers, ldap,
ldaps, rtmp, rtmps, telnet
- CVE-2022-42916: HSTS bypass via IDN
-
curl's HSTS check could be bypassed to trick it to keep
using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS directly instead of using an
insecure clear-text HTTP step even when HTTP is provided
in the URL. This mechanism could be bypassed if the host
name in the given URL uses IDN characters that get
replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002
(IDEOGRAPHIC FULL STOP) instead of the common ASCII full
stop (U+002E) .. Like this: http://curlãÂÂseãÂÂ
Discovery 2022-10-26 Entry 2022-12-14 curl
< 7.86.0
CVE-2022-32221
CVE-2022-35260
CVE-2022-42915
CVE-2022-42916
https://curl.se/docs/CVE-2022-32221.html
https://curl.se/docs/CVE-2022-35260.html
https://curl.se/docs/CVE-2022-42915.html
https://curl.se/docs/CVE-2022-42916.html
|
27f742f6-03f4-11e5-aab1-d050996490d0 | cURL -- sensitive HTTP server headers also sent to proxies
cURL reports:
libcurl provides applications a way to set custom HTTP
headers to be sent to the server by using CURLOPT_HTTPHEADER.
A similar option is available for the curl command-line
tool with the '--header' option.
When the connection passes through an HTTP proxy the
same set of headers is sent to the proxy as well by default.
While this is by design, it has not necessarily been clear
nor understood by application programmers.
Discovery 2015-04-29 Entry 2015-05-26 curl
< 7.42.1
CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
|
04f29189-1a05-11e7-bc6e-b499baebfeaf | cURL -- potential memory disclosure
The cURL project reports:
There were two bugs in curl's parser for the command line option
--write-out (or -w for short) that would skip the end of string
zero byte if the string ended in a % (percent) or \ (backslash),
and it would read beyond that buffer in the heap memory and it
could then potentially output pieces of that memory to the
terminal or the target file etc..
This flaw only exists in the command line tool.
We are not aware of any exploit of this flaw.
Discovery 2017-04-03 Entry 2017-04-05 Modified 2017-04-06 curl
>= 6.5 lt 7.53.1_1
https://curl.haxx.se/docs/adv_20170403.html
CVE-2017-7407
|
8b27f1bc-c509-11e5-a95f-b499baebfeaf | curl -- Credentials not checked
The cURL project reports:
libcurl will reuse NTLM-authenticated proxy connections
without properly making sure that the connection was
authenticated with the same credentials as set for this
transfer.
Discovery 2016-01-27 Entry 2016-01-27 Modified 2017-02-06 curl
>= 7.10.0 lt 7.47.0
http://curl.haxx.se/docs/adv_20160127A.html
CVE-2016-0755
|
69cfa386-7cd0-11e7-867f-b499baebfeaf | cURL -- multiple vulnerabilities
The cURL project reports:
- FILE buffer read out of bounds
- TFTP sends more than buffer size
- URL globbing out of bounds read
Discovery 2017-08-09 Entry 2017-08-09 curl
< 7.55.0
https://curl.haxx.se/docs/security.html
CVE-2017-1000099
CVE-2017-1000100
CVE-2017-1000101
|
ccace707-a8d8-11e7-ac58-b499baebfeaf | cURL -- out of bounds read
The cURL project reports:
FTP PWD response parser out of bounds read
libcurl may read outside of a heap allocated buffer when doing FTP.
When libcurl connects to an FTP server and successfully logs in
(anonymous or not), it asks the server for the current directory with
the PWD command. The server then responds with a 257 response containing
the path, inside double quotes. The returned path name is then kept by
libcurl for subsequent uses.
Due to a flaw in the string parser for this directory name, a directory
name passed like this but without a closing double quote would lead to
libcurl not adding a trailing NUL byte to the buffer holding the name.
When libcurl would then later access the string, it could read beyond
the allocated heap buffer and crash or wrongly access data beyond the
buffer, thinking it was part of the path.
A malicious server could abuse this fact and effectively prevent
libcurl-based clients to work with it - the PWD command is always issued
on new FTP connections and the mistake has a high chance of causing a
segfault.
Discovery 2017-10-04 Entry 2017-10-04 curl
< 7.56.0
https://curl.haxx.se/docs/adv_20171004.html
CVE-2017-1000254
|
b018121b-7a4b-11e6-bf52-b499baebfeaf | cURL -- Escape and unescape integer overflows
The cURL project reports
The four libcurl functions curl_escape(), curl_easy_escape(),
curl_unescape and curl_easy_unescape perform string URL percent
escaping and unescaping. They accept custom string length inputs
in signed integer arguments.
The provided string length arguments were not properly checked
and due to arithmetic in the functions, passing in the length
0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up
causing an allocation of zero bytes of heap memory that curl
would attempt to write gigabytes of data into.
Discovery 2016-09-14 Entry 2016-09-14 curl
>= 7.11.1 lt 7.50.3
https://curl.haxx.se/docs/adv_20160914.html
CVE-2016-7167
|
caa98ffd-0a92-40d0-b234-fd79b429157e | cURL -- URL request injection vulnerability
cURL reports:
When libcurl sends a request to a server via a HTTP proxy, it
copies the entire URL into the request and sends if off.
If the given URL contains line feeds and carriage returns those will
be sent along to the proxy too, which allows the program to for
example send a separate HTTP request injected embedded in the URL.
Many programs allow some kind of external sources to set the URL or
provide partial pieces for the URL to ask for, and if the URL as
received from the user is not stripped good enough this flaw allows
malicious users to do additional requests in a way that was not
intended, or just to insert request headers into the request that
the program didn't intend.
We are not aware of any exploit of this flaw.
Discovery 2014-12-25 Entry 2015-01-09 curl
< 7.40.0
CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
|
5d433534-f41c-402e-ade5-e0a2259a7cb6 | curl -- cURL/libcURL Location: Redirect URLs Security Bypass
Secunia reports:
The security issue is caused due to cURL following HTTP Location:
redirects to e.g. scp:// or file:// URLs which can be exploited
by a malicious HTTP server to overwrite or disclose the content of
arbitrary local files and potentially execute arbitrary commands via
specially crafted redirect URLs.
Discovery 2009-03-03 Entry 2009-03-04 curl
>= 5.11 lt 7.19.4
CVE-2009-0037
http://secunia.com/advisories/34138/
|
11e36890-d28c-11ec-a06f-d4c9ef517024 | curl -- Multiple vulnerabilities
The curl project reports:
CVE-2022-27778: curl removes wrong file on error
CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27780: percent-encoded path separator in URL host
CVE-2022-27781: CERTINFO never-ending busy-loop
CVE-2022-27782: TLS and SSH connection too eager reuse
CVE-2022-30115: HSTS bypass via trailing dot
Discovery 2022-05-11 Entry 2022-05-13 curl
< 7.83.1
CVE-2022-27778
CVE-2022-27779
CVE-2022-27780
CVE-2022-27781
CVE-2022-27782
CVE-2022-30115
https://curl.se/docs/security.html
|
714b033a-2b09-11e9-8bc3-610fd6e6cd05 | curl -- multiple vulnerabilities
curl security problems:
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
libcurl contains a heap buffer out-of-bounds read flaw.
The function handling incoming NTLM type-2 messages
(lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming
data correctly and is subject to an integer overflow vulnerability.
Using that overflow, a malicious or broken NTLM server could trick
libcurl to accept a bad length + offset combination that would lead to a
buffer read out-of-bounds.
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
libcurl contains a stack based buffer overflow vulnerability.
The function creating an outgoing NTLM type-3 header
(lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the
request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed is
implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening.
This output data can grow larger than the local buffer if very large
"nt response" data is extracted from a previous NTLMv2 header provided
by the malicious or broken HTTP server.
Such a "large value" needs to be around 1000 bytes or more. The actual
payload data copied to the target buffer comes from the NTLMv2 type-2
response header.
CVE-2019-3823: SMTP end-of-response out-of-bounds read
libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.
If the buffer passed to smtp_endofresp() isn't NUL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer. The read
contents will not be returned to the caller.
Discovery 2019-02-07 Entry 2019-02-07 curl
< 7.64.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-16890.html
https://curl.haxx.se/docs/CVE-2019-3822.html
https://curl.haxx.se/docs/CVE-2019-3823.html
CVE-2018-16890
CVE-2019-3822
CVE-2019-3823
|
aa646c01-ea0d-11eb-9b84-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
CURLOPT_SSLCERT mixup with Secure Transport (CVE-2021-22926)
TELNET stack contents disclosure again (CVE-2021-22925)
Bad connection reuse due to flawed path name checks (CVE-2021-92254)
Metalink download sends credentials (CVE-2021-92253)
Wrong content via metalink not discarded (CVE-2021-92252)
Discovery 2021-07-21 Entry 2021-07-21 curl
< 7.78.0
CVE-2021-22922
CVE-2021-22923
CVE-2021-22924
CVE-2021-22925
CVE-2021-22926
https://curl.se/docs/vuln-7.77.0.html
|
a4f8bb03-f52f-11ed-9859-080027083a05 | curl -- multiple vulnerabilities
Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:
This update fixes 4 security vulnerabilities:
- Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
- Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
- Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
- Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19
Discovery 2023-03-21 Entry 2023-05-19 curl
< 8.1.0
CVE-2023-28319
https://curl.se/docs/CVE-2023-28319.html
CVE-2023-28320
https://curl.se/docs/CVE-2023-28320.html
CVE-2023-28321
https://curl.se/docs/CVE-2023-28321.html
CVE-2023-28322
https://curl.se/docs/CVE-2023-28322.html
|
42880202-c81c-11e6-a9a5-b499baebfeaf | cURL -- buffer overflow
The cURL project reports:
printf floating point buffer overflow
libcurl's implementation of the printf() functions triggers a
buffer overflow when doing a large floating point output. The bug
occurs when the conversion outputs more than 255 bytes.
Discovery 2016-12-21 Entry 2016-12-22 curl
>= 7.1 lt 7.52
https://curl.haxx.se/docs/vuln-7.51.0.html
CVE-2016-9586
|
92a4d881-c6cf-11ec-a06f-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
- OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
- Credential leak on redirect (CVE-2022-27774)
- Bad local IPv6 connection reuse (CVE-2022-27775)
- Auth/cookie leak on redirect (CVE-2022-27776)
Discovery 2022-04-27 Entry 2022-04-28 curl
< 7.83.0
CVE-2022-22576
CVE-2022-27774
CVE-2022-27775
CVE-2022-27776
https://curl.se/docs/vuln-7.82.0.html
|
9aecb94c-c1ad-11e3-a5ac-001b21614864 | cURL -- inappropriate GSSAPI delegation
cURL reports:
When doing GSSAPI authentication, libcurl unconditionally performs
credential delegation. This hands the server a copy of the client's
security credentials, allowing the server to impersonate the client
to any other using the same GSSAPI mechanism.
Discovery 2011-06-23 Entry 2014-04-11 Modified 2014-04-30 curl
>= 7.10.6 le 7.21.6
linux-f10-curl
>= 7.10.6 le 7.21.6
CVE-2011-2192
http://curl.haxx.se/docs/adv_20110623.html
|
01cf67b3-dc3b-11e2-a6cd-c48508086173 | cURL library -- heap corruption in curl_easy_unescape
cURL developers report:
libcurl is vulnerable to a case of bad checking of the
input data which may lead to heap corruption.
The function curl_easy_unescape() decodes URL-encoded
strings to raw binary data. URL-encoded octets are
represented with %HH combinations where HH is a two-digit
hexadecimal number. The decoded string is written to an
allocated memory area that the function returns to the
caller.
The function takes a source string and a length
parameter, and if the length provided is 0 the function will
instead use strlen() to figure out how much data to
parse.
The "%HH" parser wrongly only considered the case where a
zero byte would terminate the input. If a length-limited
buffer was passed in which ended with a '%' character which
was followed by two hexadecimal digits outside of the buffer
libcurl was allowed to parse alas without a terminating
zero, libcurl would still parse that sequence as well. The
counter for remaining data to handle would then be decreased
too much and wrap to become a very large integer and the
copying would go on too long and the destination buffer that
is allocated on the heap would get overwritten.
We consider it unlikely that programs allow user-provided
strings unfiltered into this function. Also, only the not
zero-terminated input string use case is affected by this
flaw. Exploiting this flaw for gain is probably possible for
specific circumstances but we consider the general risk for
this to be low.
The curl command line tool is not affected by this
problem as it doesn't use this function.
There are no known exploits available at this time.
Discovery 2013-06-22 Entry 2013-06-23 Modified 2013-07-01 curl
>= 7.7 lt 7.24.0_4
CVE-2013-2174
http://curl.haxx.se/docs/adv_20130622.html
|
765feb7d-a0d1-11e6-a881-b499baebfeaf | cURL -- multiple vulnerabilities
The cURL project reports
- cookie injection for other servers
- case insensitive password comparison
- OOB write via unchecked multiplication
- double-free in curl_maprintf
- double-free in krb5 code
- glob parser write/read out of bounds
- curl_getdate read out of bounds
- URL unescape heap overflow via integer truncation
- Use-after-free via shared cookies
- invalid URL parsing with '#'
- IDNA 2003 makes curl use wrong host
Discovery 2016-11-02 Entry 2016-11-02 curl
>= 7.1 lt 7.51.0
https://curl.haxx.se/docs/security.html
CVE-2016-8615
CVE-2016-8616
CVE-2016-8617
CVE-2016-8618
CVE-2016-8619
CVE-2016-8620
CVE-2016-8621
CVE-2016-8622
CVE-2016-8623
CVE-2016-8624
CVE-2016-8625
|
0d7d104c-c6fb-11ed-8a4b-080027f5fec9 | curl -- multiple vulnerabilities
Harry Sintonen reports:
- CVE-2023-27533
-
curl supports communicating using the TELNET protocol
and as a part of this it offers users to pass on user
name and "telnet options" for the server
negotiation.
Due to lack of proper input scrubbing and without it
being the documented functionality, curl would pass on
user name and telnet options to the server as
provided. This could allow users to pass in carefully
crafted content that pass on content or do option
negotiation without the application intending to do
so. In particular if an application for example allows
users to provide the data or parts of the data.
- CVE-2023-27534
-
curl supports SFTP transfers. curl's SFTP implementation
offers a special feature in the path component of URLs:
a tilde (~) character as the first path element in the
path to denotes a path relative to the user's home
directory. This is supported because of wording in the
once proposed to-become RFC draft that was to dictate
how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did
however not only replace it when it is used stand-alone
as the first path element but also wrongly when used as
a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using
the user dan (with home directory /home/dan) would then
quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering
or worse.
- CVE-2023-27535
-
libcurl would reuse a previously created FTP connection
even when one or more options had been changed that
could have made the effective user a very different one,
thus leading to the doing the second transfer with wrong
credentials.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, several FTP settings
were left out from the configuration match checks,
making them match too easily. The settings in questions
are CURLOPT_FTP_ACCOUNT,
CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and
CURLOPT_USE_SSL level.
- CVE-2023-27536
-
ibcurl would reuse a previously created connection even
when the GSS delegation (CURLOPT_GSSAPI_DELEGATION)
option had been changed that could have changed the
user's permissions in a second transfer.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, this GSS delegation
setting was left out from the configuration match
checks, making them match too easily, affecting
krb5/kerberos/negotiate/GSSAPI transfers.
- CVE-2023-27537
-
libcurl supports sharing HSTS data between separate
"handles". This sharing was introduced without
considerations for do this sharing across separate
threads but there was no indication of this fact in the
documentation.
Due to missing mutexes or thread locks, two threads
sharing the same HSTS data could end up doing a
double-free or use-after-free.
- CVE-2023-27538
-
libcurl would reuse a previously created connection even
when an SSH related option had been changed that should
have prohibited reuse.
libcurl keeps previously used connections in a
connection pool for subsequent transfers to reuse if one
of them matches the setup. However, two SSH settings
were left out from the configuration match checks,
making them match too easily.
Discovery 2023-03-20 Entry 2023-03-20 curl
< 8.0.0
CVE-2023-27533
CVE-2023-27534
CVE-2023-27535
CVE-2023-27536
CVE-2023-27537
CVE-2023-27538
https://curl.se/docs/security.html
|
b1194286-958e-11eb-9c34-080027f515ea | curl -- Automatic referer leaks credentials
Daniel Stenberg reports:
libcurl does not strip off user credentials from the URL when
automatically populating the Referer: HTTP request header field
in outgoing HTTP requests, and therefore risks leaking sensitive
data to the server that is the target of the second HTTP request.
libcurl automatically sets the Referer: HTTP request header field
in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set.
With the curl tool, it is enabled with --referer ";auto".
Discovery 2021-03-31 Entry 2021-04-10 curl
>= 7.1.1 lt 7.76.0
CVE-2021-22876
https://curl.se/docs/CVE-2021-22876.html
|
be233fc6-bae7-11ed-a4fb-080027f5fec9 | curl -- multiple vulnerabilities
Harry Sintonen and Patrick Monnerat report:
- CVE-2023-23914
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality fail when multiple URLs are
requested serially. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure
clear-text HTTP step even when HTTP is provided in the
URL. This HSTS mechanism would however surprisingly be
ignored by subsequent transfers when done on the same
command line because the state would not be properly
carried on.
- CVE-2023-23915
-
A cleartext transmission of sensitive information
vulnerability exists in curl < v7.88.0 that could
cause HSTS functionality to behave incorrectly when
multiple URLs are requested in parallel. Using its HSTS
support, curl can be instructed to use HTTPS instead of
using an insecure clear-text HTTP step even when HTTP is
provided in the URL. This HSTS mechanism would however
surprisingly fail when multiple transfers are done in
parallel as the HSTS cache file gets overwritten by the
most recently completed transfer. A later HTTP-only
transfer to the earlier host name would then *not* get
upgraded properly to HSTS.
- CVE-2023-23916
-
An allocation of resources without limits or throttling
vulnerability exists in curl < v7.88.0 based on the
"chained" HTTP compression algorithms, meaning
that a server response can be compressed multiple times
and potentially with different algorithms. The number of
acceptable "links" in this "decompression
chain" was capped, but the cap was implemented on a
per-header basis allowing a malicious server to insert a
virtually unlimited number of compression steps simply
by using many headers. The use of such a decompression
chain could result in a "malloc bomb", making
curl end up spending enormous amounts of allocated heap
memory, or trying to and returning out of memory errors.
Discovery 2023-02-15 Entry 2023-03-05 curl
< 7.88.0
CVE-2023-23914
CVE-2023-23915
CVE-2023-23916
https://curl.se/docs/security.html
|
02e33cd1-c655-11ee-8613-08002784c58d | curl -- OCSP verification bypass with TLS session reuse
Hiroki Kurosawa reports:
curl inadvertently kept the SSL session ID for connections
in its cache even when the verify status (OCSP stapling)
test failed. A subsequent transfer to the same hostname
could then succeed if the session ID cache was still
fresh, which then skipped the verify status check.
Discovery 2024-01-31 Entry 2024-02-28 curl
< 8.6.0
CVE-2024-0853
https://curl.se/docs/CVE-2024-0853.html
|
0cbf0fa6-dcb7-469c-b87a-f94cffd94583 | cURL -- Multiple vulnerabilities
The cURL project reports:
libcurl 7.1 through 7.57.0 might accidentally leak authentication
data to third parties. When asked to send custom headers in its HTTP
requests, libcurl will send that set of headers first to the host in
the initial URL but also, if asked to follow redirects and a 30X HTTP
response code is returned, to the host mentioned in URL in the
`Location:` response header value. Sending the same set of headers to
subsequest hosts is in particular a problem for applications that pass
on custom `Authorization:` headers, as this header often contains
privacy sensitive information or data that could allow others to
impersonate the libcurl-using client's request.
Discovery 2018-01-24 Entry 2018-01-26 curl
< 7.58.0
https://curl.haxx.se/docs/adv_2018-b3bf.html
CVE-2018-1000007
|
3c77f139-3a09-11eb-929d-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
Trusting FTP PASV responses (CVE-2020-8284)
FTP wildcard stack overflow (CVE-2020-8285)
Inferior OCSP verification (CVE-2020-8286)
Discovery 2020-12-09 Entry 2020-12-09 curl
> 4.0 lt 7.74.0
https://curl.se/docs/security.html
CVE-2020-8284
CVE-2020-8285
CVE-2020-8286
|
e0ab1773-07c1-46c6-9170-4c5e81c00927 | curl -- multiple vulnerabilities
curl security problems:
CVE-2018-16839: SASL password overflow via integer overflow
libcurl contains a buffer overrun in the SASL authentication code.
The internal function Curl_auth_create_plain_message fails to
correctly verify that the passed in lengths for name and password
aren't too long, then calculates a buffer size to allocate.
On systems with a 32 bit size_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB
(2^31 bytes). This integer overflow usually causes a very small buffer
to actually get allocated instead of the intended very huge one, making
the use of that buffer end up in a heap buffer overflow.
This bug is very similar to CVE-2017-14618.
It affects curl 7.33.0 to 7.61.1.
CVE-2018-16840: use-after-free in handle close
libcurl contains a heap use-after-free flaw in code related to closing
an easy handle.
When closing and cleaning up an "easy" handle in the Curl_close()
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.
It affects curl 7.59.0 to 7.61.1.
CVE-2018-16842: warning message out-of-buffer read
curl contains a heap out of buffer read vulnerability.
The command line tool has a generic function for displaying warning
and informational messages to stderr for various situations. For
example if an unknown command line argument is used, or passed to it in
a "config" file.
This display function formats the output to wrap at 80 columns. The
wrap logic is however flawed, so if a single word in the message is
itself longer than 80 bytes the buffer arithmetic calculates the
remainder wrong and will end up reading behind the end of the buffer.
This could lead to information disclosure or crash.
This vulnerability could lead to a security issue if used in this or
similar situations:
1. a server somewhere uses the curl command line to run something
2. if it fails, it shows stderr to the user
3. the server takes user input for parts of its command line input
4. user provides something overly long that triggers this crash
5. the stderr output may now contain user memory contents that wasn't
meant to be available
It affects curl 7.14.1 to 7.61.1.
Discovery 2018-10-31 Entry 2018-11-01 curl
>= 7.14.1 lt 7.60.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-16839.html
https://curl.haxx.se/docs/CVE-2018-16840.html
https://curl.haxx.se/docs/CVE-2018-16842.html
CVE-2018-16839
CVE-2018-16840
CVE-2018-16842
|
f4d638b9-e6e5-4dbe-8c70-571dbc116174 | curl -- password overflow vulnerability
curl security problems:
CVE-2018-14618: NTLM password overflow via integer overflow
The internal function Curl_ntlm_core_mk_nt_hash multiplies the length
of the password by two (SUM) to figure out how large temporary storage
area to allocate from the heap.
The length value is then subsequently used to iterate over the
password and generate output into the allocated storage buffer. On
systems with a 32 bit size_t, the math to calculate SUM triggers an
integer overflow when the password length exceeds 2GB (2^31 bytes).
This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of
that buffer end up in a heap buffer overflow.
This bug is almost identical to CVE-2017-8816.
Discovery 2018-09-05 Entry 2018-09-05 Modified 2019-08-03 curl
>= 7.15.4 lt 7.61.1
linux-c7-curl
< 7.29.0_6
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-14618.html
CVE-2018-14618
|