LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2000-0973 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0973 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2003-1605 CVE STATUS: Patched CVE SUMMARY: curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1605 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2005-0490 CVE STATUS: Patched CVE SUMMARY: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 8.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0490 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2005-3185 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3185 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2005-4077 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4077 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2006-1061 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1061 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2007-3564 CVE STATUS: Patched CVE SUMMARY: libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3564 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2009-0037 CVE STATUS: Patched CVE SUMMARY: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0037 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2009-2417 CVE STATUS: Patched CVE SUMMARY: lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2417 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2010-0734 CVE STATUS: Patched CVE SUMMARY: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0734 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2010-3842 CVE STATUS: Patched CVE SUMMARY: Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3842 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2011-2192 CVE STATUS: Patched CVE SUMMARY: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2192 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2011-3389 CVE STATUS: Patched CVE SUMMARY: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3389 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2012-0036 CVE STATUS: Patched CVE SUMMARY: curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0036 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-0249 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0249 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-1944 CVE STATUS: Patched CVE SUMMARY: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1944 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-2174 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2174 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-4545 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4545 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-6422 CVE STATUS: Patched CVE SUMMARY: The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6422 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-0015 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0015 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-0138 CVE STATUS: Patched CVE SUMMARY: The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0138 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-0139 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0139 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-2522 CVE STATUS: Patched CVE SUMMARY: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2522 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-3613 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3613 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-3620 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3620 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-3707 CVE STATUS: Patched CVE SUMMARY: The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3707 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-8150 CVE STATUS: Patched CVE SUMMARY: CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8150 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-8151 CVE STATUS: Patched CVE SUMMARY: The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8151 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3143 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3143 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3144 CVE STATUS: Patched CVE SUMMARY: The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3144 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3145 CVE STATUS: Patched CVE SUMMARY: The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3145 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3148 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3148 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3153 CVE STATUS: Patched CVE SUMMARY: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3153 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3236 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3236 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3237 CVE STATUS: Patched CVE SUMMARY: The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3237 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-0754 CVE STATUS: Patched CVE SUMMARY: cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0754 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-0755 CVE STATUS: Patched CVE SUMMARY: The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0755 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-3739 CVE STATUS: Patched CVE SUMMARY: The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3739 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-4606 CVE STATUS: Patched CVE SUMMARY: Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4606 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-4802 CVE STATUS: Patched CVE SUMMARY: Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4802 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-5419 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5419 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-5420 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5420 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-5421 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5421 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-7141 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7141 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-7167 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7167 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8615 CVE STATUS: Patched CVE SUMMARY: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8615 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8616 CVE STATUS: Patched CVE SUMMARY: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8616 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8617 CVE STATUS: Patched CVE SUMMARY: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8617 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8618 CVE STATUS: Patched CVE SUMMARY: The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8618 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8619 CVE STATUS: Patched CVE SUMMARY: The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8619 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8620 CVE STATUS: Patched CVE SUMMARY: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8620 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8621 CVE STATUS: Patched CVE SUMMARY: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8621 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8622 CVE STATUS: Patched CVE SUMMARY: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8622 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8623 CVE STATUS: Patched CVE SUMMARY: A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8623 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8624 CVE STATUS: Patched CVE SUMMARY: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8624 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8625 CVE STATUS: Patched CVE SUMMARY: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8625 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9586 CVE STATUS: Patched CVE SUMMARY: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9586 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9594 CVE STATUS: Patched CVE SUMMARY: curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9594 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9952 CVE STATUS: Patched CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9952 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9953 CVE STATUS: Patched CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9953 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000099 CVE STATUS: Patched CVE SUMMARY: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000099 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000100 CVE STATUS: Patched CVE SUMMARY: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000100 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000101 CVE STATUS: Patched CVE SUMMARY: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000101 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000254 CVE STATUS: Patched CVE SUMMARY: libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000254 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000257 CVE STATUS: Patched CVE SUMMARY: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000257 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-2628 CVE STATUS: Patched CVE SUMMARY: curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2628 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-2629 CVE STATUS: Patched CVE SUMMARY: curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status). CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2629 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-7407 CVE STATUS: Patched CVE SUMMARY: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 2.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7407 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-7468 CVE STATUS: Patched CVE SUMMARY: In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 4.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7468 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-8816 CVE STATUS: Patched CVE SUMMARY: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8816 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-8817 CVE STATUS: Patched CVE SUMMARY: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8817 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-8818 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8818 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-9502 CVE STATUS: Patched CVE SUMMARY: In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://"). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9502 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-0500 CVE STATUS: Patched CVE SUMMARY: Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0500 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000005 CVE STATUS: Patched CVE SUMMARY: libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000005 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000007 CVE STATUS: Patched CVE SUMMARY: libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000007 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000120 CVE STATUS: Patched CVE SUMMARY: A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000120 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000121 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000121 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000122 CVE STATUS: Patched CVE SUMMARY: A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000122 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000300 CVE STATUS: Patched CVE SUMMARY: curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000300 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000301 CVE STATUS: Patched CVE SUMMARY: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000301 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-14618 CVE STATUS: Patched CVE SUMMARY: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14618 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16839 CVE STATUS: Patched CVE SUMMARY: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 4.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16839 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16840 CVE STATUS: Patched CVE SUMMARY: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 4.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16840 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16842 CVE STATUS: Patched CVE SUMMARY: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 4.4 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16842 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16890 CVE STATUS: Patched CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.4 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16890 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-3822 CVE STATUS: Patched CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3822 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-3823 CVE STATUS: Patched CVE SUMMARY: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 4.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3823 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5435 CVE STATUS: Patched CVE SUMMARY: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5435 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5436 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5436 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5443 CVE STATUS: Patched CVE SUMMARY: A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5443 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5481 CVE STATUS: Patched CVE SUMMARY: Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5481 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5482 CVE STATUS: Patched CVE SUMMARY: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5482 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-19909 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19909 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8169 CVE STATUS: Patched CVE SUMMARY: curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8169 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8177 CVE STATUS: Patched CVE SUMMARY: curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8177 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8231 CVE STATUS: Patched CVE SUMMARY: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8231 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8284 CVE STATUS: Patched CVE SUMMARY: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8284 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8285 CVE STATUS: Patched CVE SUMMARY: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8285 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8286 CVE STATUS: Patched CVE SUMMARY: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8286 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22876 CVE STATUS: Patched CVE SUMMARY: curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22876 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22890 CVE STATUS: Patched CVE SUMMARY: curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22890 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22897 CVE STATUS: Patched CVE SUMMARY: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22897 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22898 CVE STATUS: Patched CVE SUMMARY: curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 3.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22898 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22901 CVE STATUS: Patched CVE SUMMARY: curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22901 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22922 CVE STATUS: Patched CVE SUMMARY: When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22922 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22923 CVE STATUS: Patched CVE SUMMARY: When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22923 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22924 CVE STATUS: Patched CVE SUMMARY: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22924 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22925 CVE STATUS: Patched CVE SUMMARY: curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22925 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22926 CVE STATUS: Patched CVE SUMMARY: libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22926 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22945 CVE STATUS: Patched CVE SUMMARY: When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 9.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22945 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22946 CVE STATUS: Patched CVE SUMMARY: A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22946 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22947 CVE STATUS: Patched CVE SUMMARY: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22947 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-22576 CVE STATUS: Patched CVE SUMMARY: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 8.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22576 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27774 CVE STATUS: Patched CVE SUMMARY: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27774 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27775 CVE STATUS: Patched CVE SUMMARY: An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27775 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27776 CVE STATUS: Patched CVE SUMMARY: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27776 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27778 CVE STATUS: Patched CVE SUMMARY: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27778 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27779 CVE STATUS: Patched CVE SUMMARY: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27779 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27780 CVE STATUS: Patched CVE SUMMARY: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27780 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27781 CVE STATUS: Patched CVE SUMMARY: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27781 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27782 CVE STATUS: Patched CVE SUMMARY: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27782 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-30115 CVE STATUS: Patched CVE SUMMARY: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30115 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32205 CVE STATUS: Patched CVE SUMMARY: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32205 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32206 CVE STATUS: Patched CVE SUMMARY: curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32206 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32207 CVE STATUS: Patched CVE SUMMARY: When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32207 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32208 CVE STATUS: Patched CVE SUMMARY: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32208 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32221 CVE STATUS: Patched CVE SUMMARY: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32221 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-35252 CVE STATUS: Patched CVE SUMMARY: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35252 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-35260 CVE STATUS: Patched CVE SUMMARY: curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35260 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-42915 CVE STATUS: Patched CVE SUMMARY: curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42915 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-42916 CVE STATUS: Patched CVE SUMMARY: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42916 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-43551 CVE STATUS: Patched CVE SUMMARY: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43551 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-43552 CVE STATUS: Patched CVE SUMMARY: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43552 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2023-23914 CVE STATUS: Patched CVE SUMMARY: A cleartext transmission of sensitive information vulnerability exists in curl