Deprecated: Function get_magic_quotes_gpc() is deprecated in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 99

Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 619

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 832

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839

Warning: Cannot modify header information - headers already sent by (output started at /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php:99) in /hermes/walnacweb04/walnacweb04ab/b2791/pow.jasaeld/htdocs/De1337/nothing/index.php on line 839
[ { "schema_version": "1.5.0", "id": "CURL-CVE-2025-10148", "aliases": [ "CVE-2025-10148" ], "summary": "predictable WebSocket mask", "modified": "2025-09-15T22:30:42.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-10148.json", "www": "https://curl.se/docs/CVE-2025-10148.html", "issue": "https://hackerone.com/reports/3330839", "CWE": { "id": "CWE-340", "desc": "Generation of Predictable Numbers or Identifiers" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.15.0", "severity": "Low" }, "published": "2025-09-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.11.0"}, {"fixed": "8.16.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d78e129d50b2d190f1c1bde2ad1f62f02f152db0"}, {"fixed": "84db7a9eae8468c0445b15aa806fa7fa806fa0f2"} ] } ], "versions": [ "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0" ] } ], "credits": [ { "name": "Calvin Ruocco (Vector Informatik GmbH)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's WebSocket code did not update the 32 bit mask pattern for each new\noutgoing frame as the specification says. Instead it used a fixed mask that\npersisted and was used throughout the entire connection.\n\nA predictable mask pattern allows for a malicious server to induce traffic\nbetween the two communicating parties that could be interpreted by an involved\nproxy (configured or transparent) as genuine, real, HTTP traffic with content\nand thereby poison its cache. That cached poisoned content could then be\nserved to all users of that proxy." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-9086", "aliases": [ "CVE-2025-9086" ], "summary": "Out of bounds read for cookie path", "modified": "2025-09-10T07:45:33.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-9086.json", "www": "https://curl.se/docs/CVE-2025-9086.html", "issue": "https://hackerone.com/reports/3294999", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.15.0", "severity": "Low" }, "published": "2025-09-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.31.0"}, {"fixed": "8.16.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d"}, {"fixed": "c6ae07c6a541e0e96d0040afb62b45dd37711300"} ] } ], "versions": [ "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0" ] } ], "credits": [ { "name": "Google Big Sleep", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\"/\"`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-5399", "aliases": [ "CVE-2025-5399" ], "summary": "WebSocket endless loop", "modified": "2025-06-04T07:44:49.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2025-5399.json", "www": "https://curl.se/docs/CVE-2025-5399.html", "issue": "https://hackerone.com/reports/3168039", "CWE": { "id": "CWE-835", "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.14.0", "severity": "Low" }, "published": "2025-06-04T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.13.0"}, {"fixed": "8.14.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3588df9478d7c27046b34cdb510728a26bedabc7"}, {"fixed": "d1145df24de8f80e6b167fbc4f28b86bcd0c6832"} ] } ], "versions": [ "8.14.0", "8.13.0" ] } ], "credits": [ { "name": "z2_ on hackerone", "type": "FINDER" }, { "name": "z2_ on hackerone", "type": "REMEDIATION_DEVELOPER" } ], "details": "Due to a mistake in libcurl's WebSocket code, a malicious server can send a\nparticularly crafted packet which makes libcurl get trapped in an endless\nbusy-loop.\n\nThere is no other way for the application to escape or exit this loop other\nthan killing the thread/process.\n\nThis might be used to DoS libcurl-using application." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-5025", "aliases": [ "CVE-2025-5025" ], "summary": "No QUIC certificate pinning with wolfSSL", "modified": "2025-05-28T08:10:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-5025.json", "www": "https://curl.se/docs/CVE-2025-5025.html", "issue": "https://hackerone.com/reports/3153497", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.13.0", "severity": "Medium" }, "published": "2025-05-28T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.5.0"}, {"fixed": "8.14.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "5f78cf503c786a1d48d13528dde038bccfa6c67c"}, {"fixed": "e1f65937a96a451292e9231339672797da86ecc5"} ] } ], "versions": [ "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl supports *pinning* of the server certificate public key for HTTPS\ntransfers. Due to an omission, this check is not performed when connecting\nwith QUIC for HTTP/3, when the TLS backend is wolfSSL.\n\nDocumentation says the option works with wolfSSL, failing to specify that it\ndoes not for QUIC and HTTP/3.\n\nSince pinning makes the transfer succeed if the pin is fine, users could\nunwittingly connect to an impostor server without noticing." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-4947", "aliases": [ "CVE-2025-4947" ], "summary": "QUIC certificate check skip with wolfSSL", "modified": "2025-05-28T08:10:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-4947.json", "www": "https://curl.se/docs/CVE-2025-4947.html", "issue": "https://hackerone.com/reports/3150884", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.13.0", "severity": "Medium" }, "published": "2025-05-28T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.8.0"}, {"fixed": "8.14.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4c46e277b2a0c0489de0e0fcb91f315c62f0369c"}, {"fixed": "a85f1df4803bbd272905c9e712537b41afeafbd3"} ] } ], "versions": [ "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl accidentally skips the certificate verification for QUIC connections\nwhen connecting to a host specified as an IP address in the URL. Therefore, it\ndoes not detect impostors or man-in-the-middle attacks." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0725", "aliases": [ "CVE-2025-0725" ], "summary": "gzip integer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0725.json", "www": "https://curl.se/docs/CVE-2025-0725.html", "issue": "https://hackerone.com/reports/2956023", "CWE": { "id": "CWE-680", "desc": "Integer Overflow to Buffer Overflow" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "019c4088cfcca0d2b7c5cc4f52ca5dac0c616089"}, {"fixed": "76f83f0db23846e254d940ec7fe141010077eb88"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0665", "aliases": [ "CVE-2025-0665" ], "summary": "eventfd double close", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0665.json", "www": "https://curl.se/docs/CVE-2025-0665.html", "issue": "https://hackerone.com/reports/2954286", "CWE": { "id": "CWE-1341", "desc": "Multiple Releases of Same Resource or Handle" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.11.1"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "92124838c6b7e09e3f35ff84e1eb63cf0105c9b5"}, {"fixed": "ff5091aa9f73802e894b1cbdf24ab84e103200e2"} ] } ], "versions": [ "8.11.1" ] } ], "credits": [ { "name": "Christian Heusel", "type": "FINDER" }, { "name": "Andy Pan", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would wrongly close the same eventfd file descriptor twice when taking\ndown a connection channel after having completed a threaded name resolve." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0167", "aliases": [ "CVE-2025-0167" ], "summary": "netrc and default credential leak", "modified": "2025-09-15T12:17:28.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0167.json", "www": "https://curl.se/docs/CVE-2025-0167.html", "issue": "https://hackerone.com/reports/2917232", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.76.0"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46620b97431e19c53ce82e55055c85830f088cf4"}, {"fixed": "0e120c5b925e8ca75d5319e319e5ce4b8080d8eb"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0" ] } ], "credits": [ { "name": "Yihang Zhou", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-11053", "aliases": [ "CVE-2024-11053" ], "summary": "netrc and redirect credential leak", "modified": "2025-09-15T12:12:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-11053.json", "www": "https://curl.se/docs/CVE-2024-11053.html", "issue": "https://hackerone.com/reports/2829063", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.0", "severity": "Low" }, "published": "2024-12-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.76.0"}, {"fixed": "8.11.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46620b97431e19c53ce82e55055c85830f088cf4"}, {"fixed": "e9b9bbac22c26cf67316fa8e6c6b9e831af31949"} ] } ], "versions": [ "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits just the password or\nomits both login and password." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-9681", "aliases": [ "CVE-2024-9681" ], "summary": "HSTS subdomain overwrites parent cache entry", "modified": "2024-11-07T23:43:58.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-9681.json", "www": "https://curl.se/docs/CVE-2024-9681.html", "issue": "https://hackerone.com/reports/2764830", "CWE": { "id": "CWE-1025", "desc": "Comparison Using Wrong Factors" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.10.1", "severity": "Low" }, "published": "2024-11-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.74.0"}, {"fixed": "8.11.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7385610d0c74c6a254fea5e4cd6e1d559d848c8c"}, {"fixed": "a94973805df96269bf3f3bf0a20ccb9887313316"} ] } ], "versions": [ "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0" ] } ], "credits": [ { "name": "newfunction", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-8096", "aliases": [ "CVE-2024-8096" ], "summary": "OCSP stapling bypass with GnuTLS", "modified": "2024-10-24T18:05:41.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-8096.json", "www": "https://curl.se/docs/CVE-2024-8096.html", "issue": "https://hackerone.com/reports/2669852", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.9.1", "severity": "Medium" }, "published": "2024-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.41.0"}, {"fixed": "8.10.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f13669a375f5bfd14797bda91642cabe076974fa"}, {"fixed": "aeb1a281cab13c7ba791cb104e556b20e713941f"} ] } ], "versions": [ "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as OCSP stapling, to verify that the server certificate is valid,\nit might fail to detect some OCSP problems and instead wrongly consider the\nresponse as fine.\n\nIf the returned status reports another error than \"revoked\" (like for example\n\"unauthorized\") it is not treated as a bad certificate." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-7264", "aliases": [ "CVE-2024-7264" ], "summary": "ASN.1 date parser overread", "modified": "2024-07-31T09:57:12.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-7264.json", "www": "https://curl.se/docs/CVE-2024-7264.html", "issue": "https://hackerone.com/reports/2629968", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.9.0", "severity": "Low" }, "published": "2024-07-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.32.0"}, {"fixed": "8.9.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3a24cb7bc456366cbc3a03f7ab6d2576105a1f2d"}, {"fixed": "27959ecce75cdb2809c0bdb3286e60e08fadb519"} ] } ], "versions": [ "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0" ] } ], "credits": [ { "name": "Dov Murik (Transmit Security)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-6874", "aliases": [ "CVE-2024-6874" ], "summary": "macidn punycode buffer overread", "modified": "2024-08-07T14:48:26.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2024-6874.json", "www": "https://curl.se/docs/CVE-2024-6874.html", "issue": "https://hackerone.com/reports/2604391", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.8.0", "severity": "Low" }, "published": "2024-07-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.8.0"}, {"fixed": "8.9.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "add22feeef07858307be5722e1869e082554290e"}, {"fixed": "686d54baf1df6e0775898f484d1670742898b3b2"} ] } ], "versions": [ "8.8.0" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "z2_", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidentally getting returned as part of\nthe converted string." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-6197", "aliases": [ "CVE-2024-6197" ], "summary": "freeing stack buffer in utf8asn1str", "modified": "2024-08-07T23:17:54.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-6197.json", "www": "https://curl.se/docs/CVE-2024-6197.html", "issue": "https://hackerone.com/reports/2559516", "CWE": { "id": "CWE-590", "desc": "Free of Memory not on the Heap" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.8.0", "severity": "Medium" }, "published": "2024-07-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.6.0"}, {"fixed": "8.9.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "623c3a8fa0bdb2751f14b3741760d81910b7ec64"}, {"fixed": "3a537a4db9e65e545ec45b1b5d5575ee09a2569d"} ] } ], "versions": [ "8.8.0", "8.7.1", "8.7.0", "8.6.0" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "z2_", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's ASN1 parser has this `utf8asn1str()` function used for parsing an\nASN.1 UTF-8 string. It can detect an invalid field and return error.\nUnfortunately, when doing so it also invokes `free()` on a 4 byte local stack\nbuffer.\n\nMost modern malloc implementations detect this error and immediately abort.\nSome however accept the input pointer and add that memory to its list of\navailable chunks. This leads to the overwriting of nearby stack memory. The\ncontent of the overwrite is decided by the `free()` implementation; likely to\nbe memory pointers and a set of flags.\n\nThe most likely outcome of exploiting this flaw is a crash, although it cannot\nbe ruled out that more serious results can be had in special circumstances." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2466", "aliases": [ "CVE-2024-2466" ], "summary": "TLS certificate check bypass with mbedTLS", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-2466.json", "www": "https://curl.se/docs/CVE-2024-2466.html", "issue": "https://hackerone.com/reports/2416725", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Medium" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.5.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "fa714830e92cba7b16b9d3f2cc92a72ee9d821fa"}, {"fixed": "3d0fd382a29b95561b90b7ea3e7eb04dfdd43538"} ] } ], "versions": [ "8.6.0", "8.5.0" ] } ], "credits": [ { "name": "Frank Yueh", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl did not check the server certificate of TLS connections done to a host\nspecified as an IP address, when built to use mbedTLS.\n\nlibcurl would wrongly avoid using the set hostname function when the specified\nhostname was given as an IP address, therefore completely skipping the\ncertificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS,\nPOPS3, SMTPS, etc)." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2398", "aliases": [ "CVE-2024-2398" ], "summary": "HTTP/2 push headers memory-leak", "modified": "2024-03-26T10:36:00.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2024-2398.json", "www": "https://curl.se/docs/CVE-2024-2398.html", "issue": "https://hackerone.com/reports/2402845", "CWE": { "id": "CWE-772", "desc": "Missing Release of Resource after Effective Lifetime" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Medium" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.44.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ea7134ac874a66107e54ff93657ac565cf2ec4aa"}, {"fixed": "deca8039991886a559b67bcd6701db800a5cf764"} ] } ], "versions": [ "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "When an application tells libcurl it wants to allow HTTP/2 server push, and\nthe amount of received headers for the push surpasses the maximum allowed\nlimit (1000), libcurl aborts the server push. When aborting, libcurl\ninadvertently does not free all the previously allocated headers and instead\nleaks the memory.\n\nFurther, this error condition fails silently and is therefore not easily\ndetected by an application." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2379", "aliases": [ "CVE-2024-2379" ], "summary": "QUIC certificate check bypass with wolfSSL", "modified": "2024-03-26T10:36:00.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-2379.json", "www": "https://curl.se/docs/CVE-2024-2379.html", "issue": "https://hackerone.com/reports/2410774", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Low" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.6.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "5d044ad9480a9f556f4b6a252d7533b1ba7fe57e"}, {"fixed": "aedbbdf18e689a5eee8dc39600914f5eda6c409c"} ] } ], "versions": [ "8.6.0" ] } ], "credits": [ { "name": "Dexter Gerig", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl skips the certificate verification for a QUIC connection under certain\nconditions, when built to use wolfSSL. If told to use an unknown/bad cipher or\ncurve, the error path accidentally skips the verification and returns OK, thus\nignoring any certificate problems." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-2004", "aliases": [ "CVE-2024-2004" ], "summary": "Usage of disabled protocol", "modified": "2024-03-26T10:36:00.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-2004.json", "www": "https://curl.se/docs/CVE-2024-2004.html", "issue": "https://hackerone.com/reports/2384833", "CWE": { "id": "CWE-115", "desc": "Misinterpretation of Input" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.6.0", "severity": "Low" }, "published": "2024-03-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.85.0"}, {"fixed": "8.7.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e6f8445edef8e7996d1cfb141d6df184efef972c"}, {"fixed": "17d302e56221f5040092db77d4f85086e8a20e0e"} ] } ], "versions": [ "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0" ] } ], "credits": [ { "name": "Dan Fandrich", "type": "FINDER" }, { "name": "Daniel Gustafsson", "type": "REMEDIATION_DEVELOPER" } ], "details": "When a protocol selection parameter option disables all protocols without\nadding any then the default set of protocols would remain in the allowed set\ndue to an error in the logic for removing protocols. The below command would\nperform a request to curl.se with a plaintext protocol which has been\nexplicitly disabled.\n\n curl --proto -all,-http http://curl.se\n\nThe flaw is only present if the set of selected protocols disables the entire\nset of available protocols, in itself a command with no practical use and\ntherefore unlikely to be encountered in real situations. The curl security team\nhas thus assessed this to be low severity bug." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2024-0853", "aliases": [ "CVE-2024-0853" ], "summary": "OCSP verification bypass with TLS session reuse", "modified": "2024-01-31T08:07:21.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2024-0853.json", "www": "https://curl.se/docs/CVE-2024-0853.html", "issue": "https://hackerone.com/reports/2298922", "CWE": { "id": "CWE-299", "desc": "Improper Check for Certificate Revocation" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.5.0", "severity": "Low" }, "published": "2024-01-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.5.0"}, {"fixed": "8.6.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "395365ad2d9a6c3f1a35d5e268a6af2824129832"}, {"fixed": "c28e9478cb2548848eca9b765d0d409bfb18668c"} ] } ], "versions": [ "8.5.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl inadvertently kept the SSL session ID for connections in its cache even\nwhen the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh,\nwhich then skipped the verify status check." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-46219", "aliases": [ "CVE-2023-46219" ], "summary": "HSTS long filename clears contents", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-46219.json", "www": "https://curl.se/docs/CVE-2023-46219.html", "issue": "https://hackerone.com/reports/2236133", "CWE": { "id": "CWE-311", "desc": "Missing Encryption of Sensitive Data" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.4.0", "severity": "Low" }, "published": "2023-12-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.84.0"}, {"fixed": "8.5.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "20f9dd6bae50b7223171b17ba7798946e74f877f"}, {"fixed": "73b65e94f3531179de45c6f3c836a610e3d0a846"} ] } ], "versions": [ "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0" ] } ], "credits": [ { "name": "Maksymilian Arciemowicz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When saving HSTS data to an excessively long filename, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-46218", "aliases": [ "CVE-2023-46218" ], "summary": "cookie mixed case PSL bypass", "modified": "2024-01-12T23:40:27.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-46218.json", "www": "https://curl.se/docs/CVE-2023-46218.html", "issue": "https://hackerone.com/reports/2212193", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.4.0", "severity": "Medium" }, "published": "2023-12-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.46.0"}, {"fixed": "8.5.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e77b5b7453c1e8ccd7ec0816890d98e2f392e465"}, {"fixed": "2b0994c29a721c91c572cff7808c572a24d251eb"} ] } ], "versions": [ "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a\nlowercase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL\ndomain." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38546", "aliases": [ "CVE-2023-38546" ], "summary": "cookie injection with none file", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-38546.json", "www": "https://curl.se/docs/CVE-2023-38546.html", "issue": "https://hackerone.com/reports/2148242", "CWE": { "id": "CWE-73", "desc": "External Control of filename or Path" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.3.0", "severity": "Low" }, "published": "2023-10-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.1"}, {"fixed": "8.4.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "74d5a6fb3b9a96d9fa51ba90996e94c878ebd151"}, {"fixed": "61275672b46d9abb3285740467b882e22ed75da8"} ] } ], "versions": [ "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows an attacker to intentionally inject cookies into a running\nprogram using libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates an easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the filename as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl, when using the correct file format of course." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38545", "aliases": [ "CVE-2023-38545" ], "summary": "SOCKS5 heap buffer overflow", "modified": "2023-11-19T16:44:33.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-38545.json", "www": "https://curl.se/docs/CVE-2023-38545.html", "issue": "https://hackerone.com/reports/2187833", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "award": { "amount": "4660", "currency": "USD" }, "last_affected": "8.3.0", "severity": "High" }, "published": "2023-10-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.69.0"}, {"fixed": "8.4.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4a4b63daaa01ef59b131d91e8e6e6dfe275c0f08"}, {"fixed": "fb4415d8aee6c1045be932a34fe6107c2f5ed147"} ] } ], "versions": [ "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0" ] } ], "credits": [ { "name": "Jay Satiro", "type": "FINDER" }, { "name": "Jay Satiro", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the hostname to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that hostname can be is 255 bytes.\n\nIf the hostname is detected to be longer than 255 bytes, curl switches to\nlocal name resolving and instead passes on the resolved address only to the\nproxy. Due to a bug, the local variable that means \"let the host resolve the\nname\" could get the wrong value during a slow SOCKS5 handshake, and contrary\nto the intention, copy the too long hostname to the target buffer instead of\ncopying just the resolved address there." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38039", "aliases": [ "CVE-2023-38039" ], "summary": "HTTP headers eat all memory", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-38039.json", "www": "https://curl.se/docs/CVE-2023-38039.html", "issue": "https://hackerone.com/reports/2072338", "CWE": { "id": "CWE-770", "desc": "Allocation of Resources Without Limits or Throttling" }, "award": { "amount": "2540", "currency": "USD" }, "last_affected": "8.2.1", "severity": "Medium" }, "published": "2023-09-13T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.84.0"}, {"fixed": "8.3.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4d94fac9f0d1dd02b8308291e4c47651142dc28b"}, {"fixed": "3ee79c1674fd6f99e8efca52cd7510e08b766770"} ] } ], "versions": [ "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0" ] } ], "credits": [ { "name": "selmelc on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl retrieves an HTTP response, it stores the incoming headers so that\nthey can be accessed later via the libcurl headers API.\n\nHowever, curl did not have a limit on the size or quantity of headers it would\naccept in a response, allowing a malicious server to stream an endless series\nof headers to a client and eventually cause curl to run out of heap memory." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28322", "aliases": [ "CVE-2023-28322" ], "summary": "more POST-after-PUT confusion", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-28322.json", "www": "https://curl.se/docs/CVE-2023-28322.html", "issue": "https://hackerone.com/reports/1954658", "CWE": { "id": "CWE-440", "desc": "Expected Behavior Violation" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "546572da0457f37c698c02d0a08d90fdfcbeedec"}, {"fixed": "7815647d6582c0a4900be2e1de6c5e61272c496b"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the second\ntransfer.\n\nThe problem exists in the logic for a reused handle when it is (expected to\nbe) changed from a PUT to a POST." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28321", "aliases": [ "CVE-2023-28321" ], "summary": "IDN wildcard match", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-28321.json", "www": "https://curl.se/docs/CVE-2023-28321.html", "issue": "https://hackerone.com/reports/1950627", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.0"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9631fa740708b1890197fad01e25b34b7e8eb80e"}, {"fixed": "199f2d440d8659b42670c1b796220792b01a97bf"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports matching of wildcard patterns when listed as \"Subject\nAlternative Name\" in TLS server certificates. curl can be built to use its own\nname matching function for TLS rather than one provided by a TLS library. This\nprivate wildcard matching function would match IDN (International Domain Name)\nhosts incorrectly and could as a result accept patterns that otherwise should\nmismatch.\n\nIDN hostnames are converted to puny code before used for certificate\nchecks. Puny coded names always start with `xn--` and should not be allowed to\npattern match, but the wildcard check in curl could still check for `x*`,\nwhich would match even though the IDN name most likely contained nothing even\nresembling an `x`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28320", "aliases": [ "CVE-2023-28320" ], "summary": "siglongjmp race condition", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-28320.json", "www": "https://curl.se/docs/CVE-2023-28320.html", "issue": "https://hackerone.com/reports/1929597", "CWE": { "id": "CWE-662", "desc": "Improper Synchronization" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.8"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3c49b405de4fbf1fd7127f91908261268640e54f"}, {"fixed": "13718030ad4b3209a7583b4f27f683cd3a6fa5f2"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides several different backends for resolving hostnames, selected\nat build time. If it is built to use the synchronous resolver, it allows name\nresolves to time-out slow operations using `alarm()` and `siglongjmp()`.\n\nWhen doing this, libcurl used a global buffer that was not mutex protected and\na multi-threaded application might therefore crash or otherwise misbehave." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28319", "aliases": [ "CVE-2023-28319" ], "summary": "UAF in SSH sha256 fingerprint check", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-28319.json", "www": "https://curl.se/docs/CVE-2023-28319.html", "issue": "https://hackerone.com/reports/1913733", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Medium" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.81.0"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3467e89bb97e6c87c77e82a046c59cb4b2d29a74"}, {"fixed": "8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0" ] } ], "credits": [ { "name": "Wei Chong Tan", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl offers a feature to verify an SSH server's public key using a SHA 256\nhash. When this check fails, libcurl would free the memory for the fingerprint\nbefore it returns an error message containing the (now freed) hash.\n\nThis flaw risks inserting sensitive heap-based data into the error message\nthat might be shown to users or otherwise get leaked and revealed." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27538", "aliases": [ "CVE-2023-27538" ], "summary": "SSH connection too eager reuse still", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27538.json", "www": "https://curl.se/docs/CVE-2023-27538.html", "issue": "https://hackerone.com/reports/1898475", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.1"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2147284cad624325f5b0034c2f394db62086d9e6"}, {"fixed": "af369db4d3833272b8ed443f7fcc2e757a0872eb"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created connection even when an SSH related\noption had been changed that should have prohibited reuse.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, two SSH settings\nwere left out from the configuration match checks, making them match too\neasily." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27537", "aliases": [ "CVE-2023-27537" ], "summary": "HSTS double free", "modified": "2023-05-10T00:38:10.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-27537.json", "www": "https://curl.se/docs/CVE-2023-27537.html", "issue": "https://hackerone.com/reports/1897203", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.88.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "076a2f629119222aeeb50f5a03bf9f9052fabb9a"}, {"fixed": "dca4cdf071be095bcdc7126eaa77a8946ea4790b"} ] } ], "versions": [ "7.88.1", "7.88.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl supports sharing HSTS data between separate \"handles\". This sharing\nwas introduced without considerations for doing this sharing across separate\nthreads but there was no indication of this fact in the documentation.\n\nDue to missing mutexes or thread locks, two threads sharing the same HSTS data\ncould end up doing a double free or use after free." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27536", "aliases": [ "CVE-2023-27536" ], "summary": "GSS delegation too eager connection reuse", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-27536.json", "www": "https://curl.se/docs/CVE-2023-27536.html", "issue": "https://hackerone.com/reports/1895135", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.22.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ebf42c4be76df40ec6d3bf32f229bbb274e2c32f"}, {"fixed": "cb49e67303dbafbab1cebf4086e3ec15b7d56ee5"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created connection even when the GSS\ndelegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could\nhave changed the user's permissions in a second transfer.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, this GSS\ndelegation setting was left out from the configuration match checks, making\nthem match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27535", "aliases": [ "CVE-2023-27535" ], "summary": "FTP too eager connection reuse", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27535.json", "www": "https://curl.se/docs/CVE-2023-27535.html", "issue": "https://hackerone.com/reports/1892780", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Medium" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.13.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "177dbc7be07125582ddb7416dba7140b88ab9f62"}, {"fixed": "8f4608468b890dce2dad9f91d5607ee7e9c1aba1"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created FTP connection even when one or more\noptions had been changed that could have made the effective user a very\ndifferent one, thus leading to doing the second transfer with the wrong\ncredentials.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, several FTP\nsettings were left out from the configuration match checks, making them match\ntoo easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`,\n`CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL`\nlevel." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27534", "aliases": [ "CVE-2023-27534" ], "summary": "SFTP path ~ resolving discrepancy", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27534.json", "www": "https://curl.se/docs/CVE-2023-27534.html", "issue": "https://hackerone.com/reports/1892351", "CWE": { "id": "CWE-22", "desc": "Improper Limitation of a Pathname to a Restricted Directory" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.18.0"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ba6f20a2442ab1ebfe947cff19a552f92114a29a"}, {"fixed": "4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports SFTP transfers. curl's SFTP implementation offers a special\nfeature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home\ndirectory. This is supported because of wording in the [once proposed\nto-become RFC\ndraft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04)\nthat was to dictate how SFTP URLs work.\n\nDue to a bug, the handling of the tilde in SFTP path did however not only\nreplace it when it is used stand-alone as the first path element but also\nwrongly when used as a mere prefix in the first element.\n\nUsing a path like `/~2/foo` when accessing a server using the user `dan` (with\nhome directory `/home/dan`) would then quite surprisingly access the file\n`/home/dan2/foo`.\n\nThis can be taken advantage of to circumvent filtering or worse." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27533", "aliases": [ "CVE-2023-27533" ], "summary": "TELNET option IAC injection", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27533.json", "www": "https://curl.se/docs/CVE-2023-27533.html", "issue": "https://hackerone.com/reports/1891474", "CWE": { "id": "CWE-75", "desc": "Failure to Sanitize Special Elements into a Different Plane" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "538b1e79a6e7b0bb829ab4cecc828d32105d0684"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports communicating using the TELNET protocol and as a part of this it\noffers users to pass on username and \"telnet options\" for the server\nnegotiation.\n\nDue to lack of proper input scrubbing and without it being the documented\nfunctionality, curl would pass on username and telnet options to the server\nas provided. This could allow users to pass in carefully crafted content that\npass on content or do option negotiation without the application intending to\ndo so. In particular if an application for example allows users to provide the\ndata or parts of the data." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-23916", "aliases": [ "CVE-2023-23916" ], "summary": "HTTP multi-header compression denial of service", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-23916.json", "www": "https://curl.se/docs/CVE-2023-23916.html", "issue": "https://hackerone.com/reports/1826048", "CWE": { "id": "CWE-770", "desc": "Allocation of Resources Without Limits or Throttling" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.87.0", "severity": "Medium" }, "published": "2023-02-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.57.0"}, {"fixed": "7.88.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "dbcced8e32b50c068ac297106f0502ee200a1ebd"}, {"fixed": "119fb187192a9ea13dc90d9d20c215fc82799ab9"} ] } ], "versions": [ "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports \"chained\" HTTP compression algorithms, meaning that a server\nresponse can be compressed multiple times and potentially with different\nalgorithms. The number of acceptable \"links\" in this \"decompression chain\" was\ncapped, but the cap was implemented on a per-header basis allowing a malicious\nserver to insert a virtually unlimited number of compression steps simply by\nusing many headers.\n\nThe use of such a decompression chain could result in a \"malloc bomb\", making\ncurl end up spending enormous amounts of allocated heap memory, or trying to\nand returning out of memory errors." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-23915", "aliases": [ "CVE-2023-23915" ], "summary": "HSTS amnesia with --parallel", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-23915.json", "www": "https://curl.se/docs/CVE-2023-23915.html", "issue": "https://hackerone.com/reports/1814333", "CWE": { "id": "CWE-319", "desc": "Cleartext Transmission of Sensitive Information" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.87.0", "severity": "Low" }, "published": "2023-02-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.77.0"}, {"fixed": "7.88.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7385610d0c74c6a254fea5e4cd6e1d559d848c8c"}, {"fixed": "076a2f629119222aeeb50f5a03bf9f9052fabb9a"} ] } ], "versions": [ "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's HSTS cache saving behaves wrongly when multiple URLs are requested in\nparallel.\n\nUsing its HSTS support, curl can be instructed to use HTTPS instead of using\nan insecure clear-text HTTP step even when HTTP is provided in the URL. This\nHSTS mechanism would however surprisingly fail when multiple transfers are done\nin parallel as the HSTS cache file gets overwritten by the most recently\ncompleted transfer.\n\nA later HTTP-only transfer to the earlier hostname would then *not* get\nupgraded properly to HSTS.\n\nReproducible like this:\n\n1. `curl --hsts hsts.txt --parallel https://curl.se https://example.com`\n2. `curl --hsts hsts.txt http://curl.se`" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-23914", "aliases": [ "CVE-2023-23914" ], "summary": "HSTS ignored on multiple requests", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-23914.json", "www": "https://curl.se/docs/CVE-2023-23914.html", "issue": "https://hackerone.com/reports/1813864", "CWE": { "id": "CWE-319", "desc": "Cleartext Transmission of Sensitive Information" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.87.0", "severity": "Low" }, "published": "2023-02-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.77.0"}, {"fixed": "7.88.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7385610d0c74c6a254fea5e4cd6e1d559d848c8c"}, {"fixed": "076a2f629119222aeeb50f5a03bf9f9052fabb9a"} ] } ], "versions": [ "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's HSTS functionality fail when multiple URLs are requested serially.\n\nUsing its HSTS support, curl can be instructed to use HTTPS instead of using\nan insecure clear-text HTTP step even when HTTP is provided in the URL. This\nHSTS mechanism would however surprisingly be ignored by subsequent transfers\nwhen done on the same command line because the state would not be properly\ncarried on.\n\nReproducible like this:\n\n curl --hsts \"\" https://curl.se http://curl.se\n\nThe first URL returns HSTS information that the second URL fails to take\nadvantage of." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-43552", "aliases": [ "CVE-2022-43552" ], "summary": "HTTP Proxy deny use after free", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-43552.json", "www": "https://curl.se/docs/CVE-2022-43552.html", "issue": "https://hackerone.com/reports/1764858", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "last_affected": "7.86.0", "severity": "Low" }, "published": "2022-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.0"}, {"fixed": "7.87.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b7eeb6e67fca686f840eacd6b8394edb58b07482"}, {"fixed": "4f20188ac644afe174be6005ef4f6ffba232b8b2"} ] } ], "versions": [ "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0" ] } ], "credits": [ { "name": "Trail of Bits", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be asked to *tunnel* virtually all protocols it supports through an\nHTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using\nan appropriate HTTP error response code.\n\nWhen getting denied to tunnel the specific protocols SMB or TELNET, curl would\nuse a heap-allocated struct after it had been freed, in its transfer shutdown\ncode path." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-43551", "aliases": [ "CVE-2022-43551" ], "summary": "Another HSTS bypass via IDN", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-43551.json", "www": "https://curl.se/docs/CVE-2022-43551.html", "issue": "https://hackerone.com/reports/1755083", "CWE": { "id": "CWE-319", "desc": "Cleartext Transmission of Sensitive Information" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.86.0", "severity": "Medium" }, "published": "2022-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.77.0"}, {"fixed": "7.87.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7385610d0c74c6a254fea5e4cd6e1d559d848c8c"}, {"fixed": "9e71901634e276dd050481c4320f046bebb1bc28"} ] } ], "versions": [ "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's HSTS check could be bypassed to trick it to keep using HTTP.\n\nUsing its HSTS support, curl can be instructed to use HTTPS instead of using\nan insecure clear-text HTTP step even when HTTP is provided in the URL.\n\nThe HSTS mechanism could be bypassed if the hostname in the given URL first\nuses IDN characters that get replaced to ASCII counterparts as part of the IDN\nconversion. Like using the character UTF-8 U+3002 (`IDEOGRAPHIC FULL STOP`)\ninstead of the common ASCII full stop (U+002E). Then in a subsequent request,\nit does not detect the HSTS state and makes a clear text transfer. Because it\nwould store the info IDN encoded but look for it IDN decoded.\n\nReproducible like this:\n\n curl --hsts hsts.txt https://curl%E3%80%82se\n curl --hsts hsts.txt http://curl%E3%80%82se" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-42916", "aliases": [ "CVE-2022-42916" ], "summary": "HSTS bypass via IDN", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-42916.json", "www": "https://curl.se/docs/CVE-2022-42916.html", "issue": "https://hackerone.com/reports/1730660", "CWE": { "id": "CWE-319", "desc": "Cleartext Transmission of Sensitive Information" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.85.0", "severity": "Medium" }, "published": "2022-10-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.77.0"}, {"fixed": "7.86.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7385610d0c74c6a254fea5e4cd6e1d559d848c8c"}, {"fixed": "53bcf55b4538067e6dc36242168866becb987bb7"} ] } ], "versions": [ "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's HSTS check could be bypassed to trick it to keep using HTTP.\n\nUsing its HSTS support, curl can be instructed to use HTTPS directly instead\nof using an insecure clear-text HTTP step even when HTTP is provided in the\nURL. This mechanism could be bypassed if the hostname in the given URL uses\nIDN characters that get replaced to ASCII counterparts as part of the IDN\nconversion. Like using the character UTF-8 U+3002 (`IDEOGRAPHIC FULL STOP`)\ninstead of the common ASCII full stop (U+002E) `.`.\n\nLike this: `http://curl。se。`" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-42915", "aliases": [ "CVE-2022-42915" ], "summary": "HTTP proxy double free", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-42915.json", "www": "https://curl.se/docs/CVE-2022-42915.html", "issue": "https://hackerone.com/reports/1722065", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "last_affected": "7.85.0", "severity": "Medium" }, "published": "2022-10-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.77.0"}, {"fixed": "7.86.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "51c0ebcff2140c38ff389b4fcfb8216f5e9d198c"}, {"fixed": "55e1875729f9d9fc7315cec611bffbd2c817ad89"} ] } ], "versions": [ "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0" ] } ], "credits": [ { "name": "Trail of Bits", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it\nsets up the connection to the remote server by issuing a `CONNECT` request to\nthe proxy, and then *tunnels* the rest of protocol through.\n\nAn HTTP proxy might refuse this request (HTTP proxies often only allow\noutgoing connections to specific port numbers, like 443 for HTTPS) and instead\nreturn a non-200 response code to the client.\n\nDue to flaws in the error/cleanup handling, this could trigger a double free\nin curl if one of the following schemes were used in the URL for the transfer:\n`dict`, `gopher`, `gophers`, `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet`" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-35260", "aliases": [ "CVE-2022-35260" ], "summary": ".netrc parser out-of-bounds access", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-35260.json", "www": "https://curl.se/docs/CVE-2022-35260.html", "issue": "https://hackerone.com/reports/1721098", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.85.0", "severity": "Low" }, "published": "2022-10-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.84.0"}, {"fixed": "7.86.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "eeaae10c0fb27aa066fdc296074edeacfdeb6522"}, {"fixed": "c97ec984fb2bc919a3aa863e0476dffa377b184c"} ] } ], "versions": [ "7.85.0", "7.84.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be told to parse a `.netrc` file for credentials. If that file ends\nin a line with consecutive non-white space letters and no newline, curl could\nread past the end of the stack-based buffer, and if the read works, write a\nzero byte possibly beyond its boundary.\n\nThis does in most cases cause a segfault or similar, but circumstances might\nalso cause different outcomes.\n\nIf a malicious user can provide a custom netrc file to an application or\notherwise affect its contents, this flaw could be used as denial-of-service." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32221", "aliases": [ "CVE-2022-32221" ], "summary": "POST following PUT confusion", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2022-32221.json", "www": "https://curl.se/docs/CVE-2022-32221.html", "issue": "https://hackerone.com/reports/1704017", "CWE": { "id": "CWE-440", "desc": "Expected Behavior Violation" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.85.0", "severity": "Medium" }, "published": "2022-10-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.86.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "546572da0457f37c698c02d0a08d90fdfcbeedec"}, {"fixed": "a64e3e59938abd7d667e4470a18072a24d7e9de9"} ] } ], "versions": [ "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Robby Simpson", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the subsequent\n`POST` request.\n\nThe problem exists in the logic for a reused handle when it is changed from a\nPUT to a POST." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-35252", "aliases": [ "CVE-2022-35252" ], "summary": "control code in cookie denial of service", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-35252.json", "www": "https://curl.se/docs/CVE-2022-35252.html", "issue": "https://hackerone.com/reports/1613943", "CWE": { "id": "CWE-1286", "desc": "Improper Validation of Syntactic Correctness of Input" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.84.0", "severity": "Low" }, "published": "2022-08-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.85.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8dfc93e573ca740544a2d79ebb0ed786592c65c3"} ] } ], "versions": [ "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Axel Chong", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl retrieves and parses cookies from an HTTP(S) server, it accepts\ncookies using control codes (byte values below 32). When cookies that contain\nsuch control codes are later sent back to an HTTP(S) server, it might make the\nserver return a 400 response. Effectively allowing a \"sister site\" to deny\nservice to siblings." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32208", "aliases": [ "CVE-2022-32208" ], "summary": "FTP-KRB bad message verification", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-32208.json", "www": "https://curl.se/docs/CVE-2022-32208.html", "issue": "https://hackerone.com/reports/1590071", "CWE": { "id": "CWE-924", "desc": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.83.1", "severity": "Low" }, "published": "2022-06-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.4"}, {"fixed": "7.84.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "54967d2a3ab5559631407f7b7f67ef48c2dda6dd"}, {"fixed": "6ecdf5136b52af747e7bda08db9a748256b1cd09"} ] } ], "versions": [ "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl does FTP transfers secured by krb5, it handles message verification\nfailures wrongly. This flaw makes it possible for a Man-In-The-Middle attack\nto go unnoticed and even allows it to inject data to the client." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32207", "aliases": [ "CVE-2022-32207" ], "summary": "Non-preserved file permissions", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-32207.json", "www": "https://curl.se/docs/CVE-2022-32207.html", "issue": "https://hackerone.com/reports/1573634", "CWE": { "id": "CWE-281", "desc": "Improper Preservation of Permissions" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.1", "severity": "Medium" }, "published": "2022-06-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.69.0"}, {"fixed": "7.84.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b834890a3fa3f525cd8ef4e99554cdb4558d7e1b"}, {"fixed": "20f9dd6bae50b7223171b17ba7798946e74f877f"} ] } ], "versions": [ "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl saves cookies, alt-svc and hsts data to local files, it makes the\noperation atomic by finalizing the operation with a rename from a temporary\nname to the final target filename.\n\nIn that rename operation, it might accidentally *widen* the permissions for\nthe target file, leaving the updated file accessible to more users than\nintended." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32206", "aliases": [ "CVE-2022-32206" ], "summary": "HTTP compression denial of service", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-32206.json", "www": "https://curl.se/docs/CVE-2022-32206.html", "issue": "https://hackerone.com/reports/1570651", "CWE": { "id": "CWE-770", "desc": "Allocation of Resources Without Limits or Throttling" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.1", "severity": "Medium" }, "published": "2022-06-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.57.0"}, {"fixed": "7.84.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "dbcced8e32b50c068ac297106f0502ee200a1ebd"}, {"fixed": "3a09fbb7f264c67c438d01a30669ce325aa508e2"} ] } ], "versions": [ "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports \"chained\" HTTP compression algorithms, meaning that a server\nresponse can be compressed multiple times and potentially with different\nalgorithms. The number of acceptable \"links\" in this \"decompression chain\" was\nunbounded, allowing a malicious server to insert a virtually unlimited number\nof compression steps.\n\nThe use of such a decompression chain could result in a \"malloc bomb\", making\ncurl end up spending enormous amounts of allocated heap memory, or trying to\nand returning out of memory errors." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32205", "aliases": [ "CVE-2022-32205" ], "summary": "Set-Cookie denial of service", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-32205.json", "www": "https://curl.se/docs/CVE-2022-32205.html", "issue": "https://hackerone.com/reports/1569946", "CWE": { "id": "CWE-770", "desc": "Allocation of Resources Without Limits or Throttling" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.83.1", "severity": "Low" }, "published": "2022-06-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.71.0"}, {"fixed": "7.84.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ed35d6590e72c23c568af1e3b8ac6e4e2d883888"}, {"fixed": "48d7064a49148f03942380967da739dcde1cdc24"} ] } ], "versions": [ "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "A malicious server can serve excessive amounts of `Set-Cookie:` headers in a\nHTTP response to curl and curl stores all of them. A sufficiently large amount\nof (big) cookies make subsequent HTTP requests to this, or other servers to\nwhich the cookies match, create requests that become larger than the threshold\nthat curl uses internally to avoid sending crazy large requests (1048576\nbytes) and instead returns an error.\n\nThis denial state might remain for as long as the same cookies are kept, match\nand have not expired. Due to cookie matching rules, a server on\n`foo.example.com` can set cookies that also would match for `bar.example.com`,\nmaking it it possible for a \"sister server\" to effectively cause a denial of\nservice for a sibling site on the same second level domain using this method." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-30115", "aliases": [ "CVE-2022-30115" ], "summary": "HSTS bypass via trailing dot", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-30115.json", "www": "https://curl.se/docs/CVE-2022-30115.html", "issue": "https://hackerone.com/reports/1557449", "CWE": { "id": "CWE-319", "desc": "Cleartext Transmission of Sensitive Information" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.0", "severity": "Medium" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.82.0"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b27ad8e1d3e68eb3214fcbb398ca436873aa7c67"}, {"fixed": "fae6fea209a2d4db1582f608bd8cc8000721733a"} ] } ], "versions": [ "7.83.0", "7.82.0" ] } ], "credits": [ { "name": "Axel Chong", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's HSTS check could be bypassed to trick it to keep using HTTP.\n\nUsing its HSTS support, curl can be instructed to use HTTPS directly instead\nof using an insecure clear-text HTTP step even when HTTP is provided in the\nURL. This mechanism could be bypassed if the hostname in the given URL used a\ntrailing dot while not using one when it built the HSTS cache. Or the other\nway around - by having the trailing dot in the HSTS cache and *not* using the\ntrailing dot in the URL.\n\nSince trailing dots in hostnames are somewhat special, many sites work\nequally fine with or without a trailing dot present." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27782", "aliases": [ "CVE-2022-27782" ], "summary": "TLS and SSH connection too eager reuse", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27782.json", "www": "https://curl.se/docs/CVE-2022-27782.html", "issue": "https://hackerone.com/reports/1555796", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.0", "severity": "Medium" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.16.1"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2147284cad624325f5b0034c2f394db62086d9e6"}, {"fixed": "1645e9b44505abd5cbaf65da5282c3f33b5924a5"} ] } ], "versions": [ "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would reuse a previously created connection even when a TLS or SSH\nrelated option had been changed that should have prohibited reuse.\n\nlibcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse if one of them matches the setup. However, several TLS and\nSSH settings were left out from the configuration match checks, making them\nmatch too easily." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27781", "aliases": [ "CVE-2022-27781" ], "summary": "CERTINFO never-ending busy-loop", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2022-27781.json", "www": "https://curl.se/docs/CVE-2022-27781.html", "issue": "https://hackerone.com/reports/1555441", "CWE": { "id": "CWE-835", "desc": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "last_affected": "7.83.0", "severity": "Low" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f6c335d63f2da025a0a3efde1fe59e3bb7189b70"}, {"fixed": "5c7da89d404bf59c8dd82a001119a16d18365917"} ] } ], "versions": [ "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Florian Kohnhäuser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications to\nrequest details to be returned about a TLS server's certificate chain.\n\nDue to an erroneous function, a malicious server could make libcurl built with\nNSS get stuck in a never-ending busy-loop when trying to retrieve that\ninformation." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27780", "aliases": [ "CVE-2022-27780" ], "summary": "percent-encoded path separator in URL host", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27780.json", "www": "https://curl.se/docs/CVE-2022-27780.html", "issue": "https://hackerone.com/reports/1553841", "CWE": { "id": "CWE-177", "desc": "Improper Handling of URL Encoding" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.0", "severity": "Medium" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.80.0"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9a8564a920188e49d5bd8c1c8573ddef97f6e03a"}, {"fixed": "914aaab9153764ef8fa4178215b8ad89d3ac263a"} ] } ], "versions": [ "7.83.0", "7.82.0", "7.81.0", "7.80.0" ] } ], "credits": [ { "name": "Axel Chong", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The curl URL parser wrongly accepts percent-encoded URL separators like '/'\nwhen decoding the hostname part of a URL, making it a *different* URL using\nthe wrong hostname when it is later retrieved.\n\nFor example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by\nthe parser and get transposed into `http://example.com/10.0.0.1/`. This flaw\ncan be used to circumvent filters, checks and more." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27779", "aliases": [ "CVE-2022-27779" ], "summary": "cookie for trailing dot TLD", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27779.json", "www": "https://curl.se/docs/CVE-2022-27779.html", "issue": "https://hackerone.com/reports/1553301", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.0", "severity": "Medium" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.82.0"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b27ad8e1d3e68eb3214fcbb398ca436873aa7c67"}, {"fixed": "7e92d12b4e6911f424678a133b19de670e183a59"} ] } ], "versions": [ "7.83.0", "7.82.0" ] } ], "credits": [ { "name": "Axel Chong", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if\nthe hostname is provided with a trailing dot.\n\ncurl can be told to receive and send cookies when communicating using\nHTTP(S). curl's \"cookie engine\" can be built with or without [Public Suffix\nList](https://publicsuffix.org/) awareness. If PSL support not provided, a\nmore rudimentary check exists to at least prevent cookies from being set on\nTLDs. This check was broken if the hostname in the URL uses a trailing dot.\n\nThis can allow arbitrary sites to set cookies that then would get sent to a\ndifferent and unrelated site or domain." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27778", "aliases": [ "CVE-2022-27778" ], "summary": "curl removes wrong file on error", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2022-27778.json", "www": "https://curl.se/docs/CVE-2022-27778.html", "issue": "https://hackerone.com/reports/1553598", "CWE": { "id": "CWE-706", "desc": "Use of Incorrectly-Resolved Name or Reference" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.83.0", "severity": "Medium" }, "published": "2022-05-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.83.0"}, {"fixed": "7.83.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "08a96c6e4e6cf6a1917a117db1b5394713e3f01f"}, {"fixed": "8c7ee9083d0d719d0a77ab20d9cc2ae84eeea7f3"} ] } ], "versions": [ "7.83.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might remove the wrong file when `--no-clobber` is used together with\n`--remove-on-error`.\n\nThe `--remove-on-error` option tells curl to remove the output file when it\nreturns an error, and not leave a partial file behind. The `--no-clobber`\noption prevents curl from overwriting a file if it already exists, and instead\nappends a number to the name to create a new unused filename.\n\nIf curl adds a number to not \"clobber\" the output and an error occurs during\ntransfer, the remove on error logic would remove the *original* filename\nwithout the added number." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27776", "aliases": [ "CVE-2022-27776" ], "summary": "Auth/cookie leak on redirect", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27776.json", "www": "https://curl.se/docs/CVE-2022-27776.html", "issue": "https://hackerone.com/reports/1547048", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Low" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "6e659993952aa5f90f48864be84a1bbb047fc258"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might leak authentication or cookie header data on HTTP redirects to the\nsame host but another port number.\n\nWhen asked to send custom headers or cookies in its HTTP requests, curl sends\nthat set of headers only to the host which name is used in the initial URL, so\nthat redirects to other hosts make curl send the data to those. However, due\nto a flawed check, curl wrongly also sends that same set of headers to the\nhosts that are identical to the first one but use a different port number or\nURL scheme. Contrary to expectation and intention.\n\nSending the same set of headers to a server on a different port number is a\nproblem for applications that pass on custom `Authorization:` or `Cookie:`\nheaders, as those headers often contain privacy sensitive information or data.\n\ncurl and libcurl have options that allow users to opt out from this check, but\nthat is not set by default." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27775", "aliases": [ "CVE-2022-27775" ], "summary": "Bad local IPv6 connection reuse", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27775.json", "www": "https://curl.se/docs/CVE-2022-27775.html", "issue": "https://hackerone.com/reports/1546268", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Low" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.65.0"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2d0e9b40d3237b1450cbbfbcb996da244d964898"}, {"fixed": "058f98dc3fe595f21dc26a5b9b1699e519ba5705"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse, if one of them matches the setup.\n\nDue to errors in the logic, the config matching function did not take the IPv6\naddress zone id into account which could lead to libcurl reusing the wrong\nconnection when one transfer uses a zone id and a subsequent transfer uses\nanother (or no) zone id." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27774", "aliases": [ "CVE-2022-27774" ], "summary": "Credential leak on redirect", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27774.json", "www": "https://curl.se/docs/CVE-2022-27774.html", "issue": "https://hackerone.com/reports/1543773", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Medium" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl follows HTTP(S) redirects when asked to. curl also supports\nauthentication. When a user and password are provided for a URL with a given\nhostname, curl makes an effort to not pass on those credentials to other hosts\nin redirects unless given permission with a special option.\n\nThis \"same host check\" has been flawed all since it was introduced. It does\nnot work on cross protocol redirects and it does not consider different port\nnumbers to be separate hosts. This leads to curl leaking credentials to other\nservers when it follows redirects from auth protected HTTP(S) URLs to other\nprotocols and port numbers. It could also leak the TLS SRP credentials this\nway.\n\nBy default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked\nto allow redirects to all protocols curl supports." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-22576", "aliases": [ "CVE-2022-22576" ], "summary": "OAUTH2 bearer bypass in connection reuse", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-22576.json", "www": "https://curl.se/docs/CVE-2022-22576.html", "issue": "https://hackerone.com/reports/1526328", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Medium" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "19a05c908f7d8be82de6f69f533317d8a0db49dd"}, {"fixed": "852aa5ad351ea53e5f01d2f44b5b4370c2bf5425"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl might reuse OAUTH2-authenticated connections without properly making\nsure that the connection was authenticated with the same credentials as set\nfor this transfer. This affects SASL-enabled protocols: SMTP(S), IMAP(S),\nPOP3(S) and LDAP(S) (OpenLDAP only).\n\nlibcurl maintains a pool of live connections after a transfer has completed\n(sometimes called the connection cache). This pool of connections is then gone\nthrough when a new transfer is requested and if there is a live connection\navailable that can be reused, it is preferred instead of creating a new one.\n\nDue to this security vulnerability, a connection that is successfully created\nand authenticated with a username + OAUTH2 bearer could subsequently be\nerroneously reused even for user + [other OAUTH2 bearer], even though that\nmight not even be a valid bearer. This could lead to an authentication bypass,\neither by mistake or by a malicious actor." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22947", "aliases": [ "CVE-2021-22947" ], "summary": "STARTTLS protocol injection via MITM", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22947.json", "www": "https://curl.se/docs/CVE-2021-22947.html", "issue": "https://hackerone.com/reports/1334763", "CWE": { "id": "CWE-349", "desc": "Acceptance of Extraneous Untrusted Data With Trusted Data" }, "award": { "amount": "1500", "currency": "USD" }, "last_affected": "7.78.0", "severity": "Medium" }, "published": "2021-09-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.79.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "8ef147c43646e91fdaad5d0e7b60351f842e5c68"} ] } ], "versions": [ "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data\nsecurely using STARTTLS to upgrade the connection to TLS level, the server can\nstill respond and send back multiple responses before the TLS upgrade. Such\nmultiple *pipelined* responses are cached by curl. curl would then upgrade to\nTLS but not flush the in-queue of cached responses and instead use and trust\nthe responses it got *before* the TLS handshake as if they were authenticated.\n\nUsing this flaw, it allows a Man-In-The-Middle attacker to first inject the\nfake responses, then pass-through the TLS traffic from the legitimate server\nand trick curl into sending data back to the user thinking the attacker's\ninjected data comes from the TLS-protected server.\n\nOver POP3 and IMAP an attacker can inject fake response data." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22946", "aliases": [ "CVE-2021-22946" ], "summary": "Protocol downgrade required TLS bypassed", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22946.json", "www": "https://curl.se/docs/CVE-2021-22946.html", "issue": "https://hackerone.com/reports/1334111", "CWE": { "id": "CWE-325", "desc": "Missing Cryptographic Step" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.78.0", "severity": "Medium" }, "published": "2021-09-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.79.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "364f174724ef115c63d5e5dc1d3342c8a43b1cca"} ] } ], "versions": [ "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Patrick Monnerat", "type": "FINDER" }, { "name": "Patrick Monnerat", "type": "REMEDIATION_DEVELOPER" } ], "details": "A user can tell curl to **require** a successful upgrade to TLS when speaking\nto an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or\n`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` with\nlibcurl). This requirement could be bypassed if the server would return a\nproperly crafted but perfectly legitimate response.\n\nThis flaw would then make curl silently continue its operations **without\nTLS** contrary to the instructions and expectations, exposing possibly\nsensitive data in clear text over the network." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22945", "aliases": [ "CVE-2021-22945" ], "summary": "UAF and double free in MQTT sending", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22945.json", "www": "https://curl.se/docs/CVE-2021-22945.html", "issue": "https://hackerone.com/reports/1269242", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.78.0", "severity": "Medium" }, "published": "2021-09-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.73.0"}, {"fixed": "7.79.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2522903b792ac5a802f780df60dc4647c58e2477"}, {"fixed": "43157490a5054bd24256fe12876931e8abc9df49"} ] } ], "versions": [ "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "z2_", "type": "REMEDIATION_DEVELOPER" } ], "details": "When sending data to an MQTT server, libcurl could in some circumstances\nerroneously keep a pointer to an already freed memory area and both use that\nagain in a subsequent call to send data and also free it *again*." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22926", "aliases": [ "CVE-2021-22926" ], "summary": "CURLOPT_SSLCERT mix-up with Secure Transport", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22926.json", "www": "https://curl.se/docs/CVE-2021-22926.html", "issue": "https://hackerone.com/reports/1234760", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d2fe616e7e44a106ac976aaeaa441ad7d8a6df11"}, {"fixed": "fd9b40bf8dfd43edcbc0d254d613d95a11061c05"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl-using applications can ask for a specific client certificate to be\nused in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert`\nwith the command line tool).\n\nWhen libcurl is built to use the macOS native TLS library Secure Transport, an\napplication can ask for the client certificate by name or with a filename -\nusing the same option. If the name exists as a file, it is used instead of by\nname.\n\nIf the application runs with a current working directory that is writable by\nother users (like `/tmp`), a malicious user can create a filename with the\nsame name as the app wants to use by name, and thereby trick the application\nto use the file based cert instead of the one referred to by name making\nlibcurl send the wrong client certificate in the TLS connection handshake." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22925", "aliases": [ "CVE-2021-22925" ], "summary": "TELNET stack contents disclosure again", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22925.json", "www": "https://curl.se/docs/CVE-2021-22925.html", "issue": "https://hackerone.com/reports/1223882", "CWE": { "id": "CWE-457", "desc": "Use of Uninitialized Variable" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "894f6ec730597eb243618d33cc84d71add8d6a8a"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Red Hat Product Security", "type": "FINDER" }, { "name": "Red Hat Product Security", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not call and use `sscanf()` correctly when\nparsing the string provided by the application.\n\nThe previous curl security vulnerability\n[CVE-2021-22898](https://curl.se/docs/CVE-2021-22898.html) is almost identical\nto this one but the fix was insufficient so this security vulnerability\nremained." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22924", "aliases": [ "CVE-2021-22924" ], "summary": "Bad connection reuse due to flawed path name checks", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22924.json", "www": "https://curl.se/docs/CVE-2021-22924.html", "issue": "https://hackerone.com/reports/1223565", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "1200", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.4"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "89721ff04af70f527baae1368f3b992777bf6526"}, {"fixed": "5ea3145850ebff1dc2b13d17440300a01ca38161"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse, if one of them matches the setup.\n\nDue to errors in the logic, the config matching function did not take 'issuer\ncert' into account and it compared the involved paths *case insensitively*,\nwhich could lead to libcurl reusing wrong connections.\n\nFile paths are, or can be, case sensitive on many systems but not all, and can\neven vary depending on used file systems.\n\nThe comparison also did not include the 'issuer cert' which a transfer can set\nto qualify how to verify the server certificate." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22923", "aliases": [ "CVE-2021-22923" ], "summary": "Metalink download sends credentials", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2021-22923.json", "www": "https://curl.se/docs/CVE-2021-22923.html", "issue": "https://hackerone.com/reports/1213181", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b5fdbe848bc3d088445817aa890d3f2f74ac5b02"}, {"fixed": "265b14d6b37c4298bd5556fabcbc37d36f911693"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is instructed to get content using the Metalink feature, and a user\nname and password are used to download the Metalink XML file, those same\ncredentials are then subsequently passed on to each of the servers from which\ncurl downloads or tries to download the contents from. Often contrary to the\nuser's expectations and intentions and without telling the user it happened." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22922", "aliases": [ "CVE-2021-22922" ], "summary": "Wrong content via Metalink not discarded", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2021-22922.json", "www": "https://curl.se/docs/CVE-2021-22922.html", "issue": "https://hackerone.com/reports/1213175", "CWE": { "id": "CWE-20", "desc": "Improper Input Validation" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b5fdbe848bc3d088445817aa890d3f2f74ac5b02"}, {"fixed": "265b14d6b37c4298bd5556fabcbc37d36f911693"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is instructed to download content using the Metalink feature, the\ncontents is verified against a hash provided in the Metalink XML file.\n\nThe Metalink XML file points out to the client how to get the same content\nfrom a set of different URLs, potentially hosted by different servers and the\nclient can then download the file from one or several of them. In a serial or\nparallel manner.\n\nIf one of the servers hosting the contents has been breached and the contents\nof the specific file on that server is replaced with a modified payload, curl\nshould detect this when the hash of the file mismatches after a completed\ndownload. It should remove the contents and instead try getting the contents\nfrom another URL. This is not done, and instead such a hash mismatch is only\nmentioned in text and the potentially malicious content is kept in the file on\ndisk.\n\nThere is a risk the user does not notice the message and instead assumes the\nfile is fine." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22901", "aliases": [ "CVE-2021-22901" ], "summary": "TLS session caching disaster", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22901.json", "www": "https://curl.se/docs/CVE-2021-22901.html", "issue": "https://hackerone.com/reports/1180380", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "award": { "amount": "2000", "currency": "USD" }, "last_affected": "7.76.1", "severity": "High" }, "published": "2021-05-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.75.0"}, {"fixed": "7.77.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a304051620b92e12b6b1b4e19edc57b34ea332b6"}, {"fixed": "7f4a9a9b2a49547eae24d2e19bc5c346e9026479"} ] } ], "versions": [ "7.76.1", "7.76.0", "7.75.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Brad Spencer", "type": "OTHER" } ], "details": "libcurl can be tricked into using already freed memory when a new TLS session\nis negotiated or a client certificate is requested on an existing connection.\nFor example, this can happen when a TLS server requests a client certificate\non a connection that was established without one. A malicious server can use\nthis in rare unfortunate circumstances to potentially reach remote code\nexecution in the client.\n\nOpenSSL can declare a \"new session\" for different reasons, including the\ninitial TLS handshake completion, TLS 1.2 (or earlier) renegotiation, or TLS\n1.3 client certificate requests. When libcurl at runtime sets up support for\nsession ID caching on a connection using OpenSSL, it stores pointers to the\ntransfer in-memory object for later retrieval when OpenSSL considers a new\nsession to be established.\n\nHowever, if the connection is used by multiple transfers (like with a reused\nHTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer\nobject might be freed before the new session is established on that connection\nand then the function accesses a memory buffer that might be freed. When using\nthat memory, libcurl might even call a function pointer in the object, making\nit possible for a remote code execution if the server could somehow manage to\nget crafted memory content into the correct place in memory." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22898", "aliases": [ "CVE-2021-22898" ], "summary": "TELNET stack contents disclosure", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22898.json", "www": "https://curl.se/docs/CVE-2021-22898.html", "issue": "https://hackerone.com/reports/1176461", "CWE": { "id": "CWE-457", "desc": "Use of Uninitialized Variable" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.76.1", "severity": "Medium" }, "published": "2021-05-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.77.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "39ce47f219b09c380b81f89fe54ac586c8db6bde"} ] } ], "versions": [ "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not check the return code from a\n`sscanf(command, \"%127[^,],%127s\")` function invoke correctly, and would leave\nthe piece of the send buffer uninitialized for the value part if it was\nprovided longer than 127 bytes. The buffer used for this is 2048 bytes big and\nthe *variable* part of the *variable=content* pairs would be stored correctly\nin the send buffer, making curl sending \"interleaved\" bytes sequences of stack\ncontents. A single curl TELNET handshake could then be made to send off a\ntotal of around 1800 bytes of (non-contiguous) stack contents in this style:\n\n [control byte]name[control byte]\n stack contents\n [control byte]name[control byte]\n stack contents\n ...\n\nAn easy proof of concept command line looks like this:\n\n curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22897", "aliases": [ "CVE-2021-22897" ], "summary": "Schannel cipher selection surprise", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22897.json", "www": "https://curl.se/docs/CVE-2021-22897.html", "issue": "https://hackerone.com/reports/1172857", "CWE": { "id": "CWE-488", "desc": "Exposure of Data Element to Wrong Session" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.76.1", "severity": "Low" }, "published": "2021-05-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.61.0"}, {"fixed": "7.77.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28"}, {"fixed": "bbb71507b7bab52002f9b1e0880bed6a32834511"} ] } ], "versions": [ "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl lets applications specify which specific TLS ciphers to use in\ntransfers, using the option called `CURLOPT_SSL_CIPHER_LIST`. The cipher\nselection is used for the TLS negotiation when a transfer is done involving\nany of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS,\nIMAPS, POP3S, SMTPS etc.\n\nDue to a mistake in the code, the selected cipher set was stored in a single\n\"static\" variable in the library, which has the surprising side-effect that if\nan application sets up multiple concurrent transfers, the last one that sets\nthe ciphers accidentally controls the set used by all transfers. In a\nworst-case scenario, this weakens transport security significantly." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22890", "aliases": [ "CVE-2021-22890" ], "summary": "TLS 1.3 session ticket proxy host mix-up", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22890.json", "www": "https://curl.se/docs/CVE-2021-22890.html", "issue": "https://hackerone.com/reports/1129529", "CWE": { "id": "CWE-290", "desc": "Authentication Bypass by Spoofing" }, "last_affected": "7.75.0", "severity": "Low" }, "published": "2021-03-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.63.0"}, {"fixed": "7.76.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "549310e907e82e44c59548351d4c6ac4aaada114"}, {"fixed": "b09c8ee15771c614c4bf3ddac893cdb12187c844"} ] } ], "versions": [ "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0" ] } ], "credits": [ { "name": "Mingtao Yang (Facebook)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "Enabled by default, libcurl supports the use of TLS 1.3 session tickets to\nresume previous TLS sessions to speed up subsequent TLS handshakes.\n\nWhen using an HTTPS proxy and TLS 1.3, libcurl can confuse session tickets\narriving from the HTTPS proxy but work as if they arrived from the remote\nserver and then wrongly \"short-cut\" the host handshake. The reason for this\nconfusion is the modified sequence from TLS 1.2 when the session ids would\nprovided only during the TLS handshake, while in TLS 1.3 it happens post\nhand-shake and the code was not updated to take that changed behavior into\naccount.\n\nWhen confusing the tickets, an HTTPS proxy can trick libcurl to use the wrong\nsession ticket resume for the host and thereby circumvent the server TLS\ncertificate check and make a MITM attack to be possible to perform unnoticed.\n\nThis flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a\nmalicious HTTPS proxy needs to provide a certificate that curl accepts for the\nMITMed server for an attack to work - unless curl has been told to ignore the\nserver certificate check." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22876", "aliases": [ "CVE-2021-22876" ], "summary": "Automatic referer leaks credentials", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22876.json", "www": "https://curl.se/docs/CVE-2021-22876.html", "issue": "https://hackerone.com/reports/1101882", "CWE": { "id": "CWE-359", "desc": "Exposure of Private Personal Information to an Unauthorized Actor" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.75.0", "severity": "Low" }, "published": "2021-03-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.1.1"}, {"fixed": "7.76.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f30ffef477636dc10a72eb30590a84a0218e5935"}, {"fixed": "7214288898f5625a6cc196e22a74232eada7861c"} ] } ], "versions": [ "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1" ] } ], "credits": [ { "name": "Viktor Szakats", "type": "FINDER" }, { "name": "Viktor Szakats", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl does not strip off user credentials from the URL when automatically\npopulating the `Referer:` HTTP request header field in outgoing HTTP requests,\nand therefore risks leaking sensitive data to the server that is the target of\nthe second HTTP request.\n\nlibcurl automatically sets the `Referer:` HTTP request header field in\noutgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the\ncurl tool, it is enabled with `--referer \";auto\"`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8286", "aliases": [ "CVE-2020-8286" ], "summary": "Inferior OCSP verification", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2020-8286.json", "www": "https://curl.se/docs/CVE-2020-8286.html", "issue": "https://hackerone.com/reports/1048457", "CWE": { "id": "CWE-299", "desc": "Improper Check for Certificate Revocation" }, "award": { "amount": "900", "currency": "USD" }, "last_affected": "7.73.0", "severity": "Medium" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.41.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d1cf5d570663dac157740cb5e49d24614f185da7"}, {"fixed": "d9d01672785b8ac04aab1abb6de95fe3072ae199"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0" ] } ], "credits": [ { "name": "Ospoco", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl offers \"OCSP stapling\" via the `CURLOPT_SSL_VERIFYSTATUS` option. When\nset, libcurl verifies the OCSP response that a server responds with as part of\nthe TLS handshake. It then aborts the TLS negotiation if something is wrong\nwith the response. The same feature can be enabled with `--cert-status` using\nthe curl tool.\n\nAs part of the OCSP response verification, a client should verify that the\nresponse is indeed set out for the correct certificate. This step was not\nperformed by libcurl when built or told to use OpenSSL as TLS backend.\n\nThis flaw would allow an attacker, who perhaps could have breached a TLS\nserver, to provide a fraudulent OCSP response that would appear fine, instead\nof the real one. Like if the original certificate actually has been revoked." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8285", "aliases": [ "CVE-2020-8285" ], "summary": "FTP wildcard stack overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2020-8285.json", "www": "https://curl.se/docs/CVE-2020-8285.html", "issue": "https://hackerone.com/reports/1045844", "CWE": { "id": "CWE-674", "desc": "Uncontrolled Recursion" }, "last_affected": "7.73.0", "severity": "Medium" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34"}, {"fixed": "69a358f2186e04cf44698b5100332cbf1ee7f01d"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "xnynx on github", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl offers a wildcard matching functionality, which allows a callback (set\nwith `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on\nhow to handle a specific entry in a directory when libcurl iterates over a\nlist of all available entries.\n\nWhen this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not\ndeal with that file, the internal function in libcurl then calls itself\nrecursively to handle the next directory entry.\n\nIf there is a sufficient amount of file entries and if the callback returns\n\"skip\" enough number of times, libcurl runs out of stack space. The exact\namount does of course vary with platforms, compilers and other environmental\nfactors.\n\nThe content of the remote directory is not kept on the stack, so it seems hard\nfor the attacker to control exactly what data that overwrites the stack -\nhowever it remains a Denial-Of-Service vector as a malicious user who controls\na server that a libcurl-using application works with under these premises can\ntrigger a crash.\n\n(There is also a few other ways the function can be made to call itself and\ntrigger this problem.)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8284", "aliases": [ "CVE-2020-8284" ], "summary": "trusting FTP PASV responses", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2020-8284.json", "www": "https://curl.se/docs/CVE-2020-8284.html", "issue": "https://hackerone.com/reports/1040166", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.73.0", "severity": "Low" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "ec9cc725d598ac77de7b6df8afeec292b3c8ad46"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Varnavas Papaioannou", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl performs a passive FTP transfer, it first tries the `EPSV` command\nand if that is not supported, it falls back to using `PASV`. Passive mode is\nwhat curl uses by default.\n\nA server response to a `PASV` command includes the (IPv4) address and port\nnumber for the client to connect back to in order to perform the actual data\ntransfer.\n\nThis is how the FTP protocol is designed to work.\n\nA malicious server can use the `PASV` response to trick curl into connecting\nback to a given IP address and port, and this way potentially make curl\nextract information about services that are otherwise private and not\ndisclosed, for example doing port scanning and service banner extractions.\n\nIf curl operates on a URL provided by a user (which by all means is an unwise\nsetup), a user can exploit that and pass in a URL to a malicious FTP server\ninstance without needing any server breach to perform the attack." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8231", "aliases": [ "CVE-2020-8231" ], "summary": "wrong connect-only connection", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2020-8231.json", "www": "https://curl.se/docs/CVE-2020-8231.html", "issue": "https://hackerone.com/reports/948876", "CWE": { "id": "CWE-825", "desc": "Expired Pointer Dereference" }, "award": { "amount": "500", "currency": "USD" }, "last_affected": "7.71.1", "severity": "Low" }, "published": "2020-08-19T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.29.0"}, {"fixed": "7.72.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c43127414d89ccb9ef6517081f68986d991bcfb3"}, {"fixed": "3c9e021f86872baae412a427e807fbfa2f3e8a22"} ] } ], "versions": [ "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0" ] } ], "credits": [ { "name": "Marc Aldorasi", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "An application that performs multiple requests with libcurl's multi API and\nsets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience\nthat when subsequently using the setup connect-only transfer, libcurl picks\nand uses the wrong connection - and instead picks another one the application\nhas created since then.\n\n`CURLOPT_CONNECT_ONLY` is the option to tell libcurl to not perform an actual\ntransfer, only connect. When that operation is completed, libcurl remembers\nwhich connection it used for that transfer and \"easy handle\". It remembers the\nconnection using a pointer to the internal `connectdata` struct in memory.\n\nIf more transfers are then done with the same multi handle before the\nconnect-only connection is used, leading to the initial connect-only\nconnection to get closed (for example due to idle time-out) while also new\ntransfers (and connections) are setup, such a *new* connection might end up\ngetting the exact same memory address as the now closed connect-only\nconnection.\n\nIf after those operations, the application then wants to use the original\ntransfer's connect-only setup to for example use `curl_easy_send()` to send\nraw data over that connection, libcurl could **erroneously** find an existing\nconnection still being alive at the address it remembered since before even\nthough this is now a new and different connection.\n\nThe application could then accidentally send data over that connection which\nwas not at all intended for that recipient, entirely unknowingly." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8177", "aliases": [ "CVE-2020-8177" ], "summary": "curl overwrite local file with -J", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2020-8177.json", "www": "https://curl.se/docs/CVE-2020-8177.html", "issue": "https://hackerone.com/reports/887462", "CWE": { "id": "CWE-641", "desc": "Improper Restriction of Names for Files and Other Resources" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.70.0", "severity": "Medium" }, "published": "2020-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.71.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "80675818e0417be8c991513b328c5507e93b47e5"}, {"fixed": "8236aba58542c5f89f1d41ca09d84579efb05e22"} ] } ], "versions": [ "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "sn on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be tricked by a malicious server to overwrite a local file when using\n`-J` (`--remote-header-name`) and `-i` (`--include`) in the same command line.\n\nThe command line tool offers the `-J` option that saves a remote file using\nthe filename present in the `Content-Disposition:` response header. curl then\nrefuses to overwrite an existing local file using the same name, if one\nalready exists in the current directory.\n\nThe `-J` flag is designed to save a response body, and so it does not work\ntogether with `-i` and there is logic that forbids it. However, the check is\nflawed and does not properly check for when the options are used in the\nreversed order: first using `-J` and then `-i` were mistakenly accepted.\n\nThe result of this mistake was that incoming HTTP headers could overwrite a\nlocal file if one existed, as the check to avoid the local file was done first\nwhen body data was received, and due to the mistake mentioned above, it could\nalready have received and saved headers by that time.\n\nThe saved file would only get response headers added to it, as it would abort\nthe saving when the first body byte arrives. A malicious server could however\nstill be made to send back virtually anything as headers and curl would save\nthem like this, until the first CRLF-CRLF sequence appears.\n\n(Also note that `-J` needs to be used in combination with `-O` to have any\neffect.)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8169", "aliases": [ "CVE-2020-8169" ], "summary": "Partial password leak over DNS on HTTP redirect", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2020-8169.json", "www": "https://curl.se/docs/CVE-2020-8169.html", "issue": "https://hackerone.com/reports/874778", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "400", "currency": "USD" }, "last_affected": "7.70.0", "severity": "Medium" }, "published": "2020-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.62.0"}, {"fixed": "7.71.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "46e164069d1a5230e4e64cbd2ff46c46cce056bb"}, {"fixed": "600a8cded447cd7118ed50142c576567c0cf5158"} ] } ], "versions": [ "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0" ] } ], "credits": [ { "name": "Marek Szlagor", "type": "FINDER" }, { "name": "Gregory Jefferis", "type": "FINDER" }, { "name": "Jeroen Ooms", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can be tricked to prepend a part of the password to the hostname\nbefore it resolves it, potentially leaking the partial password over the\nnetwork and to the DNS server(s).\n\nlibcurl can be given a username and password for HTTP authentication when\nrequesting an HTTP resource - used for HTTP Authentication such as Basic,\nDigest, NTLM and similar. The credentials are set, either together with\n`CURLOPT_USERPWD` or separately with `CURLOPT_USERNAME` and\n`CURLOPT_PASSWORD`. Important detail: these strings are given to libcurl as\nplain C strings and they are not supposed to be URL encoded.\n\nIn addition, libcurl also allows the credentials to be set in the URL, using\nthe standard RFC 3986 format: `http://user:password@host/path`. In this case,\nthe name and password are URL encoded as that is how they appear in URLs.\n\nIf the options are set, they override the credentials set in the URL.\n\nInternally, this is handled by storing the credentials in the \"URL object\" so\nthat there is only a single set of credentials stored associated with this\nsingle URL.\n\nWhen libcurl handles a relative redirect (as opposed to an absolute URL\nredirect) for an HTTP transfer, the server is only sending a new path to the\nclient and that path is applied on to the existing URL. That \"applying\" of the\nrelative path on top of an absolute URL is done by libcurl first generating a\nfull absolute URL out of all the components it has, then it applies the\nredirect and finally it deconstructs the URL again into its separate\ncomponents.\n\nThis security vulnerability originates in the fact that curl did not correctly\nURL encode the credential data when set using one of the `curl_easy_setopt`\noptions described above. This made curl generate a badly formatted full URL\nwhen it would do a redirect and the final re-parsing of the URL would then go\nbad and wrongly consider a part of the password field to belong to the host\nname.\n\nThe wrong hostname would then be used in a name resolve lookup, potentially\nleaking the hostname + partial password in clear text over the network (if\nplain DNS was used) and in particular to the used DNS server(s).\n\nThe password leak is triggered if an at sign (`@`) is used in the password\nfield, like this: `passw@rd123`. If we also consider a user `dan`, curl would\ngenerate a full URL like:\n\n `https://dan:passw@rd123@example.com/path`\n\n... while a correct one should have been:\n\n `https://dan:passw%40rd123@example.com/path`\n\n... when parsing the wrongly generated URL, libcurl would end up with user\nname `dan` and password `passw` talking to the host `rd123@example.com`. That\nbad hostname would then be passed on to the name resolver function in use\n(and for all typical cases return a \"cannot resolve hostname\" error).\n\nThere is no hint in the name resolve as to how large portion of the password\nthat is actually prepended to the hostname (i.e. an observer does not know how\nmuch data there was on the left side of the `@`), but it can of course be a\nsignificant enough clue for an attacker to figure out the rest." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5481", "aliases": [ "CVE-2019-5481" ], "summary": "FTP-KRB double free", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5481.json", "www": "https://curl.se/docs/CVE-2019-5481.html", "issue": "https://hackerone.com/reports/686823", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "award": { "amount": "200", "currency": "USD" }, "last_affected": "7.65.3", "severity": "Medium" }, "published": "2019-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.66.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0649433da53c7165f839e24e889e131e2894dd32"}, {"fixed": "9069838b30fb3b48af0123e39f664cea683254a5"} ] } ], "versions": [ "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0" ] } ], "credits": [ { "name": "Thomas Vegas", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can be told to use kerberos over FTP to a server, as set with the\n`CURLOPT_KRBLEVEL` option.\n\nDuring such kerberos FTP data transfer, the server sends data to curl in\nblocks with the 32 bit size of each block first and then that amount of data\nimmediately following.\n\nA malicious or just broken server can claim to send a very large block and if\nby doing that it makes curl's subsequent call to `realloc()` to fail, curl\nwould then misbehave in the exit path and double free the memory.\n\nIn practical terms, an up to 4 GB memory area may very well be fine to\nallocate on a modern 64 bit system but on 32 bit systems it fails.\n\nKerberos FTP is a rarely used protocol with curl. Also, Kerberos\nauthentication is usually only attempted and used with servers that the client\nhas a previous association with." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5482", "aliases": [ "CVE-2019-5482" ], "summary": "TFTP small blocksize heap buffer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2019-5482.json", "www": "https://curl.se/docs/CVE-2019-5482.html", "issue": "https://hackerone.com/reports/684603", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "award": { "amount": "250", "currency": "USD" }, "last_affected": "7.65.3", "severity": "Medium" }, "published": "2019-09-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.19.4"}, {"fixed": "7.66.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0516ce7786e9500c2e447d48aa9b3f24a6ca70f9"}, {"fixed": "facb0e4662415b5f28163e853dc6742ac5fafb3d"} ] } ], "versions": [ "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4" ] } ], "credits": [ { "name": "Thomas Vegas", "type": "FINDER" }, { "name": "Thomas Vegas", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap buffer overflow in the function\n(`tftp_receive_packet()`) that receives data from a TFTP server. It can call\n`recvfrom()` with the default size for the buffer rather than with the size\nthat was used to allocate it. Thus, the content that might overwrite the heap\nmemory is controlled by the server.\n\nThis flaw is only triggered if the TFTP server sends an `OACK` without the\n`BLKSIZE` option, when a `BLKSIZE` smaller than 512 bytes was requested by the\nTFTP client. `OACK` is a TFTP extension and is not used by all TFTP servers.\n\nUsers choosing a smaller block size than default should be rare as the primary\nuse case for changing the size is to make it larger.\n\nIt is rare for users to use TFTP across the Internet. It is most commonly used\nwithin local networks. TFTP as a protocol is always inherently insecure.\n\nThis issue was introduced by the add of the TFTP `BLKSIZE` option handling. It\nwas previously incompletely fixed by an almost identical issue called\nCVE-2019-5436." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5443", "aliases": [ "CVE-2019-5443" ], "summary": "Windows OpenSSL engine code injection", "modified": "2025-01-07T11:34:40.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5443.json", "www": "https://curl.se/docs/CVE-2019-5443.html", "issue": "https://hackerone.com/reports/608577", "CWE": { "id": "CWE-94", "desc": "Improper Control of Generation of Code ('Code Injection')" }, "award": { "amount": "200", "currency": "USD" }, "last_affected": "7.65.1", "severity": "High" }, "published": "2019-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.44.0"}, {"fixed": "7.66.0"} ] } ], "versions": [ "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0" ] } ], "credits": [ { "name": "Rich Mirch", "type": "FINDER" }, { "name": "Viktor Szakats", "type": "REMEDIATION_DEVELOPER" } ], "details": "A non-privileged user or program can put code and a config file in a known\nnon-privileged path (under `C:/usr/local/`) that makes curl automatically run\nthe code (as an OpenSSL \"engine\") on invocation. If that curl is invoked by a\nprivileged user it can do anything it wants.\n\nThis flaw exists in the official curl-for-windows binaries built and hosted by\nthe curl project (all versions up to and including 7.65.1_1). It **does not**\nexist in the curl executable shipped by Microsoft, bundled with Windows 10. It\npossibly exists in other curl builds for Windows too that uses OpenSSL.\n\nThe curl project has provided official curl executable builds for Windows\nsince [late August\n2018](https://daniel.haxx.se/blog/2018/08/27/blessed-curl-builds-for-windows/).\n\nThere exists proof of concept exploits of this flaw." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5436", "aliases": [ "CVE-2019-5436" ], "summary": "TFTP receive buffer overflow", "modified": "2024-01-12T23:34:54.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5436.json", "www": "https://curl.se/docs/CVE-2019-5436.html", "issue": "https://hackerone.com/reports/550696", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "award": { "amount": "200", "currency": "USD" }, "last_affected": "7.64.1", "severity": "Low" }, "published": "2019-05-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.19.4"}, {"fixed": "7.65.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0516ce7786e9500c2e447d48aa9b3f24a6ca70f9"}, {"fixed": "2576003415625d7b5f0e390902f8097830b82275"} ] } ], "versions": [ "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4" ] } ], "credits": [ { "name": "l00p3r", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap buffer overflow in the function\n(`tftp_receive_packet()`) that receives data from a TFTP server. It calls\n`recvfrom()` with the default size for the buffer rather than with the size\nthat was used to allocate it. Thus, the content that might overwrite the heap\nmemory is entirely controlled by the server.\n\nThe flaw exists if the user selects to use a `blksize` of 504 or smaller\n(default is 512). The smaller size that is used, the larger the possible\noverflow becomes.\n\nUsers choosing a smaller size than default should be rare as the primary use\ncase for changing the size is to make it larger.\n\nIt is rare for users to use TFTP across the Internet. It is most commonly used\nwithin local networks." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-5435", "aliases": [ "CVE-2019-5435" ], "summary": "Integer overflows in URL parser", "modified": "2024-01-12T23:34:54.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-5435.json", "www": "https://curl.se/docs/CVE-2019-5435.html", "issue": "https://hackerone.com/reports/547630", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "award": { "amount": "150", "currency": "USD" }, "last_affected": "7.64.1", "severity": "Low" }, "published": "2019-05-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.62.0"}, {"fixed": "7.65.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "fb30ac5a2d63773c529c19259754e2b306ac2e2e"}, {"fixed": "5fc28510a4664f46459d9a40187d81cc08571e60"} ] } ], "versions": [ "7.64.1", "7.64.0", "7.63.0", "7.62.0" ] } ], "credits": [ { "name": "Wenchao Li", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains two integer overflows in the `curl_url_set()` function that\nif triggered, can lead to a too small buffer allocation and a subsequent heap\nbuffer overflow.\n\nThe flaws only exist on 32 bit architectures and require excessive string\ninput lengths." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16890", "aliases": [ "CVE-2018-16890" ], "summary": "NTLM type-2 out-of-bounds buffer read", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-16890.json", "www": "https://curl.se/docs/CVE-2018-16890.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "last_affected": "7.63.0", "severity": "Medium" }, "published": "2019-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.36.0"}, {"fixed": "7.64.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "86724581b6c02d160b52f817550cfdfc9c93af62"}, {"fixed": "b780b30d1377adb10bbe774835f49e9b237fb9bb"} ] } ], "versions": [ "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0" ] } ], "credits": [ { "name": "Wenxiang Qian of Tencent Blade Team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap buffer out-of-bounds read flaw.\n\nThe function handling incoming NTLM type-2 messages\n(`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data\ncorrectly and is subject to an integer overflow vulnerability.\n\nUsing that overflow, a malicious or broken NTLM server could trick libcurl to\naccept a bad length + offset combination that would lead to a buffer read\nout-of-bounds." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-3822", "aliases": [ "CVE-2019-3822" ], "summary": "NTLMv2 type-3 header stack buffer overflow", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-3822.json", "www": "https://curl.se/docs/CVE-2019-3822.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.63.0", "severity": "High" }, "published": "2019-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.36.0"}, {"fixed": "7.64.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "86724581b6c02d160b52f817550cfdfc9c93af62"}, {"fixed": "50c9484278c63b958655a717844f0721263939cc"} ] } ], "versions": [ "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0" ] } ], "credits": [ { "name": "Wenxiang Qian of Tencent Blade Team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Huzaifa Sidhpurwala", "type": "OTHER" } ], "details": "libcurl contains a stack based buffer overflow vulnerability.\n\nThe function creating an outgoing NTLM type-3 header\n(`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the\nrequest HTTP header contents based on previously received data. The check that\nexists to prevent the local buffer from getting overflowed is implemented\nwrongly (using unsigned math) and as such it does not prevent the overflow\nfrom happening.\n\nThis output data can grow larger than the local buffer if very large response\ndata is extracted from a previous NTLMv2 header provided by the malicious or\nbroken HTTP server.\n\nSuch large response data needs to be around 1000 bytes or more. The actual\npayload data copied to the target buffer comes from the NTLMv2 type-2 response\nheader." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2019-3823", "aliases": [ "CVE-2019-3823" ], "summary": "SMTP end-of-response out-of-bounds read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2019-3823.json", "www": "https://curl.se/docs/CVE-2019-3823.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "last_affected": "7.63.0", "severity": "Low" }, "published": "2019-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.64.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2766262a68688c1dd8143f9c4be84b46c408b70a"}, {"fixed": "39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484"} ] } ], "versions": [ "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Gustafsson", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap out-of-bounds read in the code handling the\nend-of-response for SMTP.\n\nIf the buffer passed to `smtp_endofresp()` is not null terminated and contains\nno character ending the parsed number, and `len` is set to 5, then the\n`strtol()` call reads beyond the allocated buffer. The read content is not\nreturned to the caller." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16842", "aliases": [ "CVE-2018-16842" ], "summary": "warning message out-of-buffer read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2018-16842.json", "www": "https://curl.se/docs/CVE-2018-16842.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "award": { "amount": "100", "currency": "USD" }, "last_affected": "7.61.1", "severity": "Low" }, "published": "2018-10-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.14.1"}, {"fixed": "7.62.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d9ca9154d111e1287cc7ef06ec543094a4433f1f"}, {"fixed": "d530e92f59ae9bb2d47066c3c460b25d2ffeb211"} ] } ], "versions": [ "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl contains a heap out of buffer read vulnerability.\n\nThe command line tool has a generic function for displaying warning and\ninformational messages to stderr for various situations. For example if an\nunknown command line argument is used, or passed to it in a \"config\" file.\n\nThis display function formats the output to wrap at 80 columns. The wrap logic\nis however flawed, so if a single word in the message is itself longer than 80\nbytes the buffer arithmetic calculates the remainder wrong and ends up reading\nbehind the end of the buffer. This could lead to information disclosure or\ncrash.\n\nThis vulnerability could lead to a security issue if used in this or similar\nsituations:\n\n 1. a server somewhere uses the curl command line to run something\n 2. if it fails, it shows stderr to the user\n 3. the server takes user input for parts of its command line input\n 4. user provides something overly long that triggers this crash\n 5. the stderr output may now contain user memory contents that was not meant\n to be available" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16840", "aliases": [ "CVE-2018-16840" ], "summary": "use after free in handle close", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-16840.json", "www": "https://curl.se/docs/CVE-2018-16840.html", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "award": { "amount": "100", "currency": "USD" }, "last_affected": "7.61.1", "severity": "Low" }, "published": "2018-10-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.59.0"}, {"fixed": "7.62.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "b46cfbc068ebe90f18e9777b9e877e4934c1b5e3"}, {"fixed": "81d135d67155c5295b1033679c606165d4e28f3f"} ] } ], "versions": [ "7.61.1", "7.61.0", "7.60.0", "7.59.0" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a heap use after free flaw in code related to closing an easy\nhandle.\n\nWhen closing and cleaning up an \"easy\" handle in the `Curl_close()` function,\nthe library code first frees a struct (without clearing the pointer) and might\nthen subsequently erroneously write to a struct field within that already\nfreed struct." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-16839", "aliases": [ "CVE-2018-16839" ], "summary": "SASL password overflow via integer overflow", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-16839.json", "www": "https://curl.se/docs/CVE-2018-16839.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.61.1", "severity": "Low" }, "published": "2018-10-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.33.0"}, {"fixed": "7.62.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c56f9797e7feb7c2dc93bc389d4b85cc75220d77"}, {"fixed": "f3a24d7916b9173c69a3e0ee790102993833d6c5"} ] } ], "versions": [ "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun in the SASL authentication code.\n\nThe internal function `Curl_auth_create_plain_message` fails to correctly\nverify that the passed in lengths for name and password are not too long, then\ncalculates a buffer size to allocate.\n\nOn systems with a 32 bit `size_t`, the math to calculate the buffer size\ntriggers an integer overflow when the username length exceeds 1GB and the\npassword name length is close to 2GB in size. This integer overflow usually\ncauses a very small buffer to actually get allocated instead of the intended\nvery huge one, making the use of that buffer end up in a heap buffer overflow.\n\n(This bug is very similar to\n[CVE-2018-14618](https://curl.se/docs/CVE-2018-14618.html).)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-14618", "aliases": [ "CVE-2018-14618" ], "summary": "NTLM password overflow via integer overflow", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-14618.json", "www": "https://curl.se/docs/CVE-2018-14618.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.61.0", "severity": "High" }, "published": "2018-09-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.15.4"}, {"fixed": "7.61.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "be285cde3f52571087816759220a68cb994d9307"}, {"fixed": "57d299a499155d4b327e341c6024e293b0418243"} ] } ], "versions": [ "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4" ] } ], "credits": [ { "name": "Zhaoyang Wu", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun in the NTLM authentication code.\n\nThe internal function `Curl_ntlm_core_mk_nt_hash` multiplies the `length` of\nthe password by two (SUM) to figure out how large temporary storage area to\nallocate from the heap.\n\nThe `length` value is then subsequently used to iterate over the password and\ngenerate output into the allocated storage buffer. On systems with a 32 bit\n`size_t`, the math to calculate SUM triggers an integer overflow when the\npassword length exceeds 2GB (2^31 bytes). This integer overflow usually causes\na very small buffer to actually get allocated instead of the intended very\nhuge one, making the use of that buffer end up in a heap buffer overflow.\n\n(This bug is almost identical to\n[CVE-2017-8816](https://curl.se/docs/CVE-2017-8816.html).)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-0500", "aliases": [ "CVE-2018-0500" ], "summary": "SMTP send heap buffer overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-0500.json", "www": "https://curl.se/docs/CVE-2018-0500.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.60.0", "severity": "High" }, "published": "2018-07-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.54.1"}, {"fixed": "7.61.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e40e9d7f0decc799e3ccfe2c418632f8bb52031a"}, {"fixed": "ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628"} ] } ], "versions": [ "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1" ] } ], "credits": [ { "name": "Peter Wu", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might overflow a heap based memory buffer when sending data over SMTP and\nusing a reduced read buffer.\n\nWhen sending data over SMTP, curl allocates a separate \"scratch area\" on the\nheap to be able to escape the uploaded data properly if the uploaded data\ncontains data that requires it.\n\nThe size of this temporary scratch area was mistakenly made to be `2 *\nsizeof(download_buffer)` when it should have been made `2 *\nsizeof(upload_buffer)`.\n\nThe upload and the download buffer sizes are identically sized by default\n(16KB) but since version 7.54.1, curl can resize the download buffer into a\nsmaller buffer (as well as larger). If the download buffer size is set to a\nvalue smaller than 10923, the `Curl_smtp_escape_eob()` function might overflow\nthe scratch buffer when sending contents of sufficient size and contents.\n\nThe curl command line tool lowers the buffer size when `--limit-rate` is set\nto a value smaller than 16KB." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000300", "aliases": [ "CVE-2018-1000300" ], "summary": "FTP shutdown response buffer overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000300.json", "www": "https://curl.se/docs/CVE-2018-1000300.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.59.0", "severity": "High" }, "published": "2018-05-16T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.54.1"}, {"fixed": "7.60.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e40e9d7f0decc799e3ccfe2c418632f8bb52031a"}, {"fixed": "583b42cb3b809b1bf597af160468ccba728c2248"} ] } ], "versions": [ "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1" ] } ], "credits": [ { "name": "Dario Weisser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might overflow a heap based memory buffer when closing down an FTP\nconnection with very long server command replies.\n\nWhen doing FTP transfers, curl keeps a spare \"closure handle\" around\ninternally that is used when an FTP connection gets shut down since the\noriginal curl easy handle is then already removed.\n\nFTP server response data that gets cached from the original transfer might\nthen be larger than the default buffer size (16 KB) allocated in the \"closure\nhandle\", which can lead to a buffer overwrite. The contents and size of that\noverwrite is controllable by the server.\n\nThis situation was detected by an assert() in the code, but that was of course\nonly preventing bad stuff in debug builds. This bug is very unlikely to\ntrigger with non-malicious servers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000301", "aliases": [ "CVE-2018-1000301" ], "summary": "RTSP bad headers buffer over-read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000301.json", "www": "https://curl.se/docs/CVE-2018-1000301.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.59.0", "severity": "Medium" }, "published": "2018-05-16T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.60.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "bc4582b68a673d3b0f5a2e7d971605de2c8b3730"}, {"fixed": "8c7b3737d29ed5c0575bf592063de8a51450812d"} ] } ], "versions": [ "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "OSS-Fuzz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Max Dymond", "type": "OTHER" } ], "details": "curl can be tricked into reading data beyond the end of a heap based buffer\nused to store downloaded content.\n\nWhen servers send RTSP responses back to curl, the data starts out with a set\nof headers. curl parses that data to separate it into a number of headers to\ndeal with those appropriately and to find the end of the headers that signal\nthe start of the \"body\" part.\n\nThe function that splits up the response into headers is called\n`Curl_http_readwrite_headers()` and in situations where it cannot find a single\nheader in the buffer, it might end up leaving a pointer pointing into the\nbuffer instead of to the start of the buffer which then later on may lead to\nan out of buffer read when code assumes that pointer points to a full buffer\nsize worth of memory to use.\n\nThis could potentially lead to information leakage but most likely a\ncrash/denial of service for applications if a server triggers this flaw." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000122", "aliases": [ "CVE-2018-1000122" ], "summary": "RTSP RTP buffer over-read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000122.json", "www": "https://curl.se/docs/CVE-2018-1000122.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.58.0", "severity": "Medium" }, "published": "2018-03-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.59.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "bc4582b68a673d3b0f5a2e7d971605de2c8b3730"}, {"fixed": "d52dc4760f6d9ca1937eefa2093058a952465128"} ] } ], "versions": [ "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "OSS-fuzz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Max Dymond", "type": "OTHER" } ], "details": "curl can be tricked into copying data beyond end of its heap based buffer.\n\nWhen asked to transfer an RTSP URL, curl could calculate a wrong data length\nto copy from the read buffer. The `memcpy()` call would copy data from the\nheap following the buffer to a storage area that would subsequently be\ndelivered to the application (if it did not cause a crash). We have managed to\nget it to reach several hundreds bytes out of range.\n\nThis could lead to information leakage or a denial of service for the\napplication if the server offering the RTSP data can trigger this." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000121", "aliases": [ "CVE-2018-1000121" ], "summary": "LDAP NULL pointer dereference", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000121.json", "www": "https://curl.se/docs/CVE-2018-1000121.html", "CWE": { "id": "CWE-476", "desc": "NULL Pointer Dereference" }, "last_affected": "7.58.0", "severity": "Low" }, "published": "2018-03-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.59.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "2e056353b00d0944bdb2f8e948cc40a4dc0f3dfb"}, {"fixed": "9889db043393092e9d4b5a42720bba0b3d58deba"} ] } ], "versions": [ "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "Dario Weisser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might dereference a near-NULL address when getting an LDAP URL.\n\nThe function `ldap_get_attribute_ber()` is called to get attributes, but it\nturns out that it can return `LDAP_SUCCESS` and still return a `NULL` pointer\nin the result pointer when getting a particularly crafted response. This was a\nsurprise to us and to the code.\n\nlibcurl-using applications that allow LDAP URLs, or that allow redirects to\nLDAP URLs could be made to crash by a malicious server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000120", "aliases": [ "CVE-2018-1000120" ], "summary": "FTP path trickery leads to NIL byte out of bounds write", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000120.json", "www": "https://curl.se/docs/CVE-2018-1000120.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.58.0", "severity": "High" }, "published": "2018-03-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.3"}, {"fixed": "7.59.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "6e1e9caa32da099569bb95e64faf0b5f3cf103b5"}, {"fixed": "535432c0adb62fe167ec09621500470b6fa4eb0f"} ] } ], "versions": [ "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3" ] } ], "credits": [ { "name": "Duy Phan Thanh", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl can be fooled into writing a zero byte out of bounds.\n\nThis bug can trigger when curl is told to work on an FTP URL, with the setting\nto only issue a single CWD command (`--ftp-method singlecwd` or the libcurl\nalternative `CURLOPT_FTP_FILEMETHOD`).\n\ncurl then URL-decodes the given path, calls strlen() on the result and deducts\nthe length of the filename part to find the end of the directory within the\nbuffer. It then writes a zero byte on that index, in a buffer allocated on the\nheap.\n\nIf the directory part of the URL contains a \"%00\" sequence, the directory\nlength might end up shorter than the filename path, making the calculation\n`size_t index = directory_len - filepart_len` end up with a huge index\nvariable for where the zero byte gets stored: `heap_buffer[index] = 0`. On\nseveral architectures that huge index wraps and works as a negative value,\nthus overwriting memory *before* the intended heap buffer.\n\nBy using different file part lengths and putting %00 in different places in\nthe URL, an attacker that can control what paths a curl-using application uses\ncan write that zero byte on different indexes." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000007", "aliases": [ "CVE-2018-1000007" ], "summary": "HTTP authentication leak in redirects", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000007.json", "www": "https://curl.se/docs/CVE-2018-1000007.html", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "last_affected": "7.57.0", "severity": "Low" }, "published": "2018-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.58.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "af32cd3859336ab963591ca0df9b1e33a7ee066b"} ] } ], "versions": [ "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Craig de Stigter", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might leak authentication data to third parties.\n\nWhen asked to send custom headers in its HTTP requests, curl sends that set of\nheaders first to the host in the initial URL but also, if asked to follow\nredirects and a 30X HTTP response code is returned, to the host mentioned in\nURL in the `Location:` response header value.\n\nSending the same set of headers to subsequent hosts is in particular a problem\nfor applications that pass on custom `Authorization:` headers, as this header\noften contains privacy sensitive information or data that could allow others\nto impersonate the curl-using client's request." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000005", "aliases": [ "CVE-2018-1000005" ], "summary": "HTTP/2 trailer out-of-bounds read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000005.json", "www": "https://curl.se/docs/CVE-2018-1000005.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.57.0", "severity": "Low" }, "published": "2018-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.49.0"}, {"fixed": "7.58.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0761a51ee0551ad9e523cbdba24ce00d22fff9c1"}, {"fixed": "fa3dbb9a147488a2943bda809c66fc497efe06cb"} ] } ], "versions": [ "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0" ] } ], "credits": [ { "name": "Zhouyihai Ding", "type": "FINDER" }, { "name": "Zhouyihai Ding", "type": "REMEDIATION_DEVELOPER" }, { "name": "Ray Satiro", "type": "OTHER" } ], "details": "libcurl contains an out bounds read in code handling HTTP/2 trailers.\n\nIt was [reported](https://github.com/curl/curl/pull/2231) that reading an\nHTTP/2 trailer could mess up future trailers since the stored size was one\nbyte less than required.\n\nThe problem is that the code that creates HTTP/1-like headers from the HTTP/2\ntrailer data once appended a string like `\":\"` to the target buffer, while\nthis was recently changed to `\": \"` (a space was added after the colon) but\nthe associated math was not updated correspondingly.\n\nWhen accessed, the data is read out of bounds and causes either a crash or\nthat the (too large) data gets passed to the libcurl callback. This might lead\nto a denial-of-service situation or an information disclosure if someone has a\nservice that echoes back or uses the trailers for something." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-8818", "aliases": [ "CVE-2017-8818" ], "summary": "SSL out of buffer access", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-8818.json", "www": "https://curl.se/docs/CVE-2017-8818.html", "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "last_affected": "7.56.1", "severity": "High" }, "published": "2017-11-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.56.0"}, {"fixed": "7.57.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "70f1db321a2b39c75f679b5b052aa1ac0636bd50"}, {"fixed": "9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400"} ] } ], "versions": [ "7.56.1", "7.56.0" ] } ], "credits": [ { "name": "John Schoenick", "type": "FINDER" }, { "name": "Ray Satiro", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains an out boundary access flaw in SSL related code.\n\nWhen allocating memory for a connection (the internal struct called\n`connectdata`), a certain amount of memory is allocated at the end of the\nstruct to be used for SSL related structs. Those structs are used by the\nparticular SSL library libcurl is built to use. The application can also tell\nlibcurl which specific SSL library to use if it was built to support more than\none.\n\nThe math used to calculate the extra memory amount necessary for the SSL\nlibrary was wrong on 32 bit systems, which made the allocated memory too small\nby 4 bytes. The last struct member of the last object within the memory area\ncould then be outside of what was allocated. Accessing that member could lead\nto a crash or other undefined behaviors depending on what memory that is\npresent there and how the particular SSL library decides to act on that memory\ncontent.\n\nSpecifically the vulnerability is present if libcurl was built so that\n`sizeof(long long *) < sizeof(long long)` which as far as we are aware only\nhappens in 32-bit builds." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-8817", "aliases": [ "CVE-2017-8817" ], "summary": "FTP wildcard out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2017-8817.json", "www": "https://curl.se/docs/CVE-2017-8817.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.56.1", "severity": "Medium" }, "published": "2017-11-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.57.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "0825cd80a62c21725fb3615f1fdd3aa6cc5f0f34"}, {"fixed": "0b664ba968437715819bfe4c7ada5679d16ebbc3"} ] } ], "versions": [ "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "OSS-Fuzz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Max Dymond", "type": "OTHER" } ], "details": "libcurl contains a read out of bounds flaw in the FTP wildcard function.\n\nlibcurl's FTP wildcard matching feature, which is enabled with the\n`CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user\nprovided one. The built-in wildcard function has a flaw that makes it not\ndetect the end of the pattern string if it ends with an open bracket (`[`) but\ninstead it continues reading the heap beyond the end of the URL buffer that\nholds the wildcard.\n\nFor applications that use HTTP(S) URLs, allow libcurl to handle redirects and\nhave FTP wildcards enabled, this flaw can be triggered by malicious servers\nthat can redirect clients to a URL using such a wildcard pattern." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-8816", "aliases": [ "CVE-2017-8816" ], "summary": "NTLM buffer overflow via integer overflow", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-8816.json", "www": "https://curl.se/docs/CVE-2017-8816.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.56.1", "severity": "Medium" }, "published": "2017-11-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.36.0"}, {"fixed": "7.57.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "86724581b6c02d160b52f817550cfdfc9c93af62"}, {"fixed": "7f2a1df6f5fc598750b2c6f34465c8d924db28cc"} ] } ], "versions": [ "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0" ] } ], "credits": [ { "name": "Alex Nichols", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun flaw in the NTLM authentication code.\n\nThe internal function `Curl_ntlm_core_mk_ntlmv2_hash` sums up the lengths of\nthe username + password (= SUM) and multiplies the sum by two (= SIZE) to\nfigure out how large storage to allocate from the heap.\n\nThe SUM value is subsequently used to iterate over the input and generate\noutput into the storage buffer. On systems with a 32 bit `size_t`, the math to\ncalculate SIZE triggers an integer overflow when the combined lengths of the\nusername and password is larger than 2GB (2^31 bytes). This integer overflow\nusually causes a very small buffer to actually get allocated instead of the\nintended very huge one, making the use of that buffer end up in a buffer\noverrun." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000257", "aliases": [ "CVE-2017-1000257" ], "summary": "IMAP FETCH response out of bounds read", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000257.json", "www": "https://curl.se/docs/CVE-2017-1000257.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.56.0", "severity": "Medium" }, "published": "2017-10-12T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.56.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "13c9a9ded3ae744a1e11cbc14e9146d9fa427040"} ] } ], "versions": [ "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "0xd34db347", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl contains a buffer overrun flaw in the IMAP handler.\n\nAn IMAP FETCH response line indicates the size of the returned data, in number\nof bytes. When that response says the data is zero bytes, libcurl would pass\non that (non-existing) data with a pointer and the size (zero) to the\ndeliver-data function.\n\nlibcurl's deliver-data function treats zero as a magic number and invokes\nstrlen() on the data to figure out the length. The strlen() is called on a\nheap based buffer that might not be zero terminated so libcurl might read\nbeyond the end of it into whatever memory lies after (or just crash) and then\ndeliver that to the application as if it was actually downloaded." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000254", "aliases": [ "CVE-2017-1000254" ], "summary": "FTP PWD response parser out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000254.json", "www": "https://curl.se/docs/CVE-2017-1000254.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.55.1", "severity": "Medium" }, "published": "2017-10-04T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.56.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "415d2e7cb7dd4f40b7c857f0fba23487dcd030a0"}, {"fixed": "5ff2c5ff25750aba1a8f64fbcad8e5b891512584"} ] } ], "versions": [ "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Max Dymond", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl may read outside of a heap allocated buffer when doing FTP.\n\nWhen libcurl connects to an FTP server and successfully logs in (anonymous or\nnot), it asks the server for the current directory with the `PWD` command. The\nserver then responds with a 257 response containing the path, inside double\nquotes. The returned path name is then kept by libcurl for subsequent uses.\n\nDue to a flaw in the string parser for this directory name, a directory name\npassed like this but without a closing double quote would lead to libcurl not\nadding a trailing null byte to the buffer holding the name. When libcurl would\nthen later access the string, it could read beyond the allocated heap buffer\nand crash or wrongly access data beyond the buffer, thinking it was part of\nthe path.\n\nA malicious server could abuse this fact and effectively prevent libcurl-based\nclients to work with it - the PWD command is always issued on new FTP\nconnections and the mistake has a high chance of causing a segfault.\n\nThe simple fact that this issue has remained undiscovered for this long could\nsuggest that malformed PWD responses are rare in benign servers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000101", "aliases": [ "CVE-2017-1000101" ], "summary": "URL globbing out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2017-1000101.json", "www": "https://curl.se/docs/CVE-2017-1000101.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.54.1", "severity": "Medium" }, "published": "2017-08-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.55.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "5ca96cb84410270e233c92bf1b2583cba40c3fad"}, {"fixed": "453e7a7a03a2cec749abd3878a48e728c515cca7"} ] } ], "versions": [ "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Brian Carpenter", "type": "FINDER" }, { "name": "Yongji Ouyang", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports \"globbing\" of URLs, in which a user can pass a numerical range\nto have the tool iterate over those numbers to do a sequence of transfers.\n\nIn the globbing function that parses the numerical range, there was an\nomission that made curl read a byte beyond the end of the URL if given a\ncarefully crafted, or just wrongly written, URL. The URL is stored in a heap\nbased buffer, so it could then be made to wrongly read something else instead\nof crashing.\n\nAn example of a URL that triggers the flaw would be\n`http://ur%20[0-60000000000000000000`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000100", "aliases": [ "CVE-2017-1000100" ], "summary": "TFTP sends more than buffer size", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000100.json", "www": "https://curl.se/docs/CVE-2017-1000100.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.54.1", "severity": "High" }, "published": "2017-08-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.15.0"}, {"fixed": "7.55.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "56d9624b566ac15ffb4b4b6eef220a5000b767e0"}, {"fixed": "358b2b131ad6c095696f20dcfa62b8305263f898"} ] } ], "versions": [ "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0" ] } ], "credits": [ { "name": "Even Rouault", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a\nvery long filename (longer than about 515 bytes), the filename is truncated to\nfit within the buffer boundaries, but the buffer size is still wrongly updated\nto use the original length. This too large value is then used in the\n`sendto()` call, making curl attempt to send more data than what is actually\nput into the buffer. The `sendto()` function then reads beyond the end of the\nheap based buffer.\n\nA malicious HTTP(S) server could redirect a vulnerable libcurl-using client to\na crafted TFTP URL (if the client has not restricted which protocols it allows\nredirects to) and trick it to send private memory contents to a remote server\nover UDP. Limit curl's redirect protocols with `--proto-redir` and libcurl's\nwith `CURLOPT_REDIR_PROTOCOLS`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000099", "aliases": [ "CVE-2017-1000099" ], "summary": "FILE buffer read out of bounds", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000099.json", "www": "https://curl.se/docs/CVE-2017-1000099.html", "CWE": { "id": "CWE-170", "desc": "Improper Null Termination" }, "last_affected": "7.54.1", "severity": "Medium" }, "published": "2017-08-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.54.1"}, {"fixed": "7.55.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7c312f84ea930d89c0f0f774b50032c4f9ae30e4"}, {"fixed": "c9332fa5e84f24da300b42b1a931ade929d3e27d"} ] } ], "versions": [ "7.54.1" ] } ], "credits": [ { "name": "Even Rouault", "type": "FINDER" }, { "name": "Even Rouault", "type": "REMEDIATION_DEVELOPER" } ], "details": "When asking to get a file from a file:// URL, libcurl provides a feature that\noutputs meta-data about the file using HTTP-like headers.\n\nThe code doing this would send the wrong buffer to the user (stdout or the\napplication's provide callback), which could lead to other private data from\nthe heap to get inadvertently displayed.\n\nThe wrong buffer was an uninitialized memory area allocated on the heap and if\nit turned out to not contain any zero byte, it would continue and display the\ndata following that buffer in memory." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-9502", "aliases": [ "CVE-2017-9502" ], "summary": "URL file scheme drive letter buffer overflow", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-9502.json", "www": "https://curl.se/docs/CVE-2017-9502.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.54.0", "severity": "High" }, "published": "2017-06-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.53.0"}, {"fixed": "7.54.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "1d4202ade602dd4f1192c69aed5cc905e7a9b4e2"}, {"fixed": "5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa"} ] } ], "versions": [ "7.54.0", "7.53.1", "7.53.0" ] } ], "credits": [ { "name": "Marcel Raad", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is given either\n\n 1. a file: URL that does not use two slashes following the colon, or\n 2. is told that file is the default scheme to use for URLs without scheme\n\n... and the given path starts with a drive letter and libcurl is built for\nWindows or DOS, then libcurl would copy the path with a wrong offset, so that\nthe end of the given path would write beyond the malloc buffer. Up to seven\nbytes too much." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-7468", "aliases": [ "CVE-2017-7468" ], "summary": "TLS session resumption client cert bypass (again)", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-7468.json", "www": "https://curl.se/docs/CVE-2017-7468.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.53.1", "severity": "High" }, "published": "2017-04-19T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.54.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "95c717bbd9c327c38b4efcc37d5cda29b8ee2a36"}, {"fixed": "33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26"} ] } ], "versions": [ "7.53.1", "7.53.0", "7.52.1", "7.52.0" ] } ], "credits": [ { "name": "lijian996 on github", "type": "FINDER" }, { "name": "Ray Satiro", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would attempt to resume a TLS session even if the client certificate\nhad changed. That is unacceptable since a server by specification is allowed\nto skip the client certificate check on resume, and may instead use the old\nidentity which was established by the previous certificate (or no\ncertificate).\n\nlibcurl supports by default the use of TLS session id/ticket to resume\nprevious TLS sessions to speed up subsequent TLS handshakes. They are used\nwhen for any reason an existing TLS connection could not be kept alive to make\nthe next handshake faster.\n\nThis flaw is a regression and identical to\n[CVE-2016-5419](https://curl.se/docs/CVE-2016-5419.html) reported on\nAugust 3rd 2016, but affecting a different version range." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-7407", "aliases": [ "CVE-2017-7407" ], "summary": "--write-out out of buffer read", "modified": "2024-12-18T10:24:02.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2017-7407.json", "www": "https://curl.se/docs/CVE-2017-7407.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.53.1", "severity": "Medium" }, "published": "2017-04-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.5"}, {"fixed": "7.54.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d073ec0a719bfad28b791f1ead089be655b896e9"}, {"fixed": "8e65877870c1fac920b65219adec720df810aab9"} ] } ], "versions": [ "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "There were two bugs in curl's parser for the command line option `--write-out`\n(or `-w` for short) that would skip the end of string zero byte if the string\nended in a `%` (percent) or `\\` (backslash), and it would read beyond that\nbuffer in the heap memory and it could then potentially output pieces of that\nmemory to the terminal or the target file etc.\n\nThe curl security team did not report this as a security vulnerability due to\nthe minimal risk: the memory this would output comes from the process the user\nitself invokes and that runs with the same privileges as the user. We could\nnot come up with a likely scenario where this could leak other users' data or\nmemory contents.\n\nAn external party registered this as a CVE with MITRE and we feel a\nresponsibility to clarify what this flaw is about. The CVE-2017-7407 issue is\nspecifically only about the `%` part of this flaw.\n\nThis flaw only exists in the command line tool." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-2629", "aliases": [ "CVE-2017-2629" ], "summary": "SSL_VERIFYSTATUS ignored", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-2629.json", "www": "https://curl.se/docs/CVE-2017-2629.html", "CWE": { "id": "CWE-304", "desc": "Missing Critical Step in Authentication" }, "last_affected": "7.52.1", "severity": "Medium" }, "published": "2017-02-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.53.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151"}, {"fixed": "ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0"} ] } ], "versions": [ "7.52.1", "7.52.0" ] } ], "credits": [ { "name": "Marcus Hoffmann", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl and libcurl support \"OCSP stapling\", also known as the TLS Certificate\nStatus Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When\ntelling curl to use this feature, it uses that TLS extension to ask for a\nfresh proof of the server's certificate's validity. If the server does not\nsupport the extension, or fails to provide said proof, curl is expected to\nreturn an error.\n\nDue to a coding mistake, the code that checks for a test success or failure,\nends up always thinking there is valid proof, even when there is none or if\nthe server does not support the TLS extension in question. Contrary to how it\nused to function and contrary to how this feature is documented to work.\n\nThis could lead to users not detecting when a server's certificate goes\ninvalid or otherwise be mislead that the server is in a better shape than it\nis in reality.\n\nThis flaw also exists in the command line tool\n([--cert-status](https://curl.se/docs/manpage.html#--cert-status))." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-9594", "aliases": [ "CVE-2016-9594" ], "summary": "uninitialized random", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-9594.json", "www": "https://curl.se/docs/CVE-2016-9594.html", "CWE": { "id": "CWE-330", "desc": "Use of Insufficiently Random Values" }, "last_affected": "7.52.0", "severity": "High" }, "published": "2016-12-23T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.52.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f682156a4fc6c43fb38db4abda49b9a1bc1ed368"}, {"fixed": "f81b2277a8e7e9ce8809ccd30c25b8aa72101215"} ] } ], "versions": [ "7.52.0" ] } ], "credits": [ { "name": "Kamil Dudka", "type": "FINDER" }, { "name": "Kamil Dudka", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's (new) internal function that returns a good 32bit random value was\nimplemented poorly and overwrote the pointer instead of writing the value into\nthe buffer the pointer pointed to.\n\nThis random value is used to generate nonces for Digest and NTLM\nauthentication, for generating boundary strings in HTTP formposts and\nmore. Having a weak or virtually non-existent random there makes these\noperations vulnerable.\n\nThis function is brand new in 7.52.0 and is the result of an overhaul to make\nsure libcurl uses strong random as much as possible - provided by the backend\nTLS crypto libraries when present." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-9586", "aliases": [ "CVE-2016-9586" ], "summary": "printf floating point buffer overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-9586.json", "www": "https://curl.se/docs/CVE-2016-9586.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.51.0", "severity": "Medium" }, "published": "2016-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.4"}, {"fixed": "7.52.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "3ab3c16db6a5674f53cf23d56512a405fde0b2c9"} ] } ], "versions": [ "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4" ] } ], "credits": [ { "name": "Daniel Stenberg", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's implementation of the printf() functions triggers a buffer overflow\nwhen doing a large floating point output. The bug occurs when the conversion\noutputs more than 255 bytes.\n\nThe flaw happens because the floating point conversion is using system\nfunctions without the correct boundary checks.\n\nThe functions have been documented as deprecated for a long time and users are\ndiscouraged from using them in \"new programs\" as they are planned to get\nremoved at a future point. Since the functions are present and there is\nnothing preventing users from using them, we expect there to be a certain\namount of existing users in the wild.\n\nIf there are any application that accepts a format string from the outside\nwithout necessary input filtering, it could allow remote attacks.\n\nThis flaw does not exist in the command line tool." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-9952", "aliases": [ "CVE-2016-9952" ], "summary": "Win CE Schannel cert wildcard matches too much", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-9952.json", "www": "https://curl.se/docs/CVE-2016-9952.html", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "last_affected": "7.51.0", "severity": "Medium" }, "published": "2016-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.52.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4"}, {"fixed": "0354eed41085baa5ba8777019ebf5e9ef32c001d"} ] } ], "versions": [ "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Dan McNulty", "type": "FINDER" }, { "name": "Dan McNulty", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's TLS server certificate checks are flawed on Windows CE.\n\nThis vulnerability occurs in the verify certificate function when comparing a\nwildcard certificate name (as returned by the Windows API function\n`CertGetNameString)` to the hostname used to make the connection to the\nserver.\n\nThe vulnerability can be triggered with an overly permissive wildcard SAN in\nthe server certificate such as a DNS name of `*.com`. When the function\ncompares the cert name to the connection hostname, the wildcard character is\nremoved from the cert name and the connection hostname is checked to see if it\nends with the modified cert name. This means a hostname of example.com would\nmatch a DNS SAN of `*.com`, among other variations. This approach violates\nrecommendations in RFC 6125 and could lead to MITM attacks." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-9953", "aliases": [ "CVE-2016-9953" ], "summary": "Win CE Schannel cert name out of buffer read", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-9953.json", "www": "https://curl.se/docs/CVE-2016-9953.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.51.0", "severity": "Medium" }, "published": "2016-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.52.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "4ab2d26cb83dfbb74ba9eeaaa4835b4dd12883d4"}, {"fixed": "0354eed41085baa5ba8777019ebf5e9ef32c001d"} ] } ], "versions": [ "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Dan McNulty", "type": "FINDER" }, { "name": "Dan McNulty", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl's TLS server certificate checks are flawed on Windows CE.\n\nThis vulnerability occurs in the verify certificate function when comparing a\nwildcard certificate name (as returned by the Windows API function\n`CertGetNameString()` to the hostname used to make the connection to the\nserver.\n\nThe pattern matching logic exhibits an out of bounds read. If the wildcard\ncertificate name field is longer than the connection hostname, the wildcard\ncomparison code performs an access out of bounds of the connection hostname\nheap based buffer. This issue could technically leak the contents of memory\nimmediately preceding the connection hostname buffer, just a crash or at worst\nhappen to match against another piece of data." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8615", "aliases": [ "CVE-2016-8615" ], "summary": "cookie injection for other servers", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8615.json", "www": "https://curl.se/docs/CVE-2016-8615.html", "CWE": { "id": "CWE-187", "desc": "Partial Comparison" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "cff89bc088b7884098ea0c5378bbda3d49c437bc"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "If cookie state is written into a cookie jar file that is later read back and\nused for subsequent requests, a malicious HTTP server can inject new cookies\nfor arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory, which reads\nthe specified file into a fixed-size buffer in a line-by-line manner using the\n`fgets()` function. If an invocation of `fgets()` cannot read the whole line\ninto the destination buffer due to it being too small, it truncates the\noutput. This way, a very long cookie (name + value) sent by a malicious server\nwould be stored in the file and subsequently that cookie could be read\npartially and crafted correctly, it could be treated as a different cookie for\nanother server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8616", "aliases": [ "CVE-2016-8616" ], "summary": "case insensitive password comparison", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8616.json", "www": "https://curl.se/docs/CVE-2016-8616.html", "CWE": { "id": "CWE-178", "desc": "Improper Handling of Case Sensitivity" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.51.0"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When reusing a connection, curl was doing case insensitive comparisons of\nusername and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists for a\nprotocol that has connection-scoped credentials, an attacker can cause that\nconnection to be reused if s/he knows the case-insensitive version of the\ncorrect password." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8617", "aliases": [ "CVE-2016-8617" ], "summary": "OOB write via unchecked multiplication", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8617.json", "www": "https://curl.se/docs/CVE-2016-8617.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.8.1"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "00b00c693127d9e3a4eedce4c8cdf6e87087192d"}, {"fixed": "efd24d57426bd77c9b5860e6b297904703750412"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "In libcurl's base64 encode function, the output buffer is allocated as follows\nwithout any checks on `insize`:\n\n malloc( insize * 4 / 3 + 4 )\n\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if `insize` is at least 1GB of\ndata. If this happens, an undersized output buffer is allocated, but the full\nresult is written, thus causing the memory behind the output buffer to be\noverwritten.\n\nIf a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`\noption), this vulnerability can be triggered. The name has to be at least\n512MB big in a 32bit system.\n\nSystems with 64 bit versions of the `size_t` type are not affected by this\nissue." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8618", "aliases": [ "CVE-2016-8618" ], "summary": "double free in curl_maprintf", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-8618.json", "www": "https://curl.se/docs/CVE-2016-8618.html", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.4"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8732ec40db652c53fa58cd13e2acb8eab6e40874"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The libcurl API function called `curl_maprintf()` can be tricked into doing a\ndouble free due to an unsafe `size_t` multiplication, on systems using 32 bit\n`size_t` variables. The function is also used internally in numerous\nsituations.\n\nThe function doubles an allocated memory area with realloc() and allows the\nsize to wrap and become zero and when doing so realloc() returns NULL *and*\nfrees the memory - in contrary to normal realloc() fails where it only returns\nNULL - causing libcurl to free the memory *again* in the error path.\n\nSystems with 64 bit versions of the `size_t` type are not affected by this\nissue.\n\nThis behavior can be triggered using the publicly exposed function." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8619", "aliases": [ "CVE-2016-8619" ], "summary": "double free in krb5 code", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8619.json", "www": "https://curl.se/docs/CVE-2016-8619.html", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.3"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "def69c30879c0246bccb02d79e06b937e39d0ba4"}, {"fixed": "3d6460edeee21d7d790ec570d0887bed1f4366dd"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "In curl's implementation of the Kerberos authentication mechanism, the\nfunction `read_data()` in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it fails to\nensure that the length parameter passed to realloc() is not set to 0.\n\nThis would lead to realloc() getting called with a zero size and when doing so\nrealloc() returns NULL *and* frees the memory - in contrary to normal\nrealloc() fails where it only returns NULL - causing libcurl to free the\nmemory *again* in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-behaving\nserver." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8620", "aliases": [ "CVE-2016-8620" ], "summary": "glob parser write/read out of bounds", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2016-8620.json", "www": "https://curl.se/docs/CVE-2016-8620.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.34.0"}, {"fixed": "7.51.0"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0" ] } ], "credits": [ { "name": "Luật Nguyễn", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The curl tool's \"globbing\" feature allows a user to specify a numerical range\nthrough which curl iterates. It is typically specified as `[1-5]`, specifying\nthe first and the last numbers in the range. Or with `[a-z]`, using letters.\n\n1. The curl code for parsing the second *unsigned* number did not check for a\nleading minus character, which allowed a user to specify `[1--1]` with no\ncomplaints and have the latter `-1` number get turned into the largest\nunsigned long value the system can handle. This would ultimately cause curl to\nwrite outside the dedicated heap allocated buffer after no less than 100,000\niterations, since it would have room for 5 digits but not 6.\n\n2. When the range is specified with letters, and the ending letter is left out\n`[L-]`, the code would still advance its read pointer 5 bytes even if the\nstring was just 4 bytes and end up reading outside the given buffer.\n\nThis flaw exists only in the curl tool, not in the libcurl library." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8621", "aliases": [ "CVE-2016-8621" ], "summary": "curl_getdate read out of bounds", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8621.json", "www": "https://curl.se/docs/CVE-2016-8621.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.2"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f6433211ae9afb30ec461e6633dafc6d8c77eaa9"}, {"fixed": "96a80b5a262fb6dd2ddcea7987296f3b9a405618"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2" ] } ], "credits": [ { "name": "Luật Nguyễn", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The `curl_getdate` converts a given date string into a numerical timestamp and\nit supports a range of different formats and possibilities to express a date\nand time. The underlying date parsing function is also used internally when\nparsing for example HTTP cookies (possibly received from remote servers) and\nit can be used when doing conditional HTTP requests.\n\nThe date parser function uses the libc `sscanf()` function at two places, with\nthe parsing strings `%02d:%02d` and `%02d:%02d:%02d`. The intent being that it\nwould parse either a string with HH:MM (two digits colon two digits) or\n`HH:MM:SS` (two digits colon two digits colon two digits). If instead the\npiece of time that was sent in had the final digit cut off, thus ending with a\nsingle-digit, the date parser code would advance its read pointer one byte too\nmuch and end up reading out of bounds." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8622", "aliases": [ "CVE-2016-8622" ], "summary": "URL unescape heap overflow via integer truncation", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8622.json", "www": "https://curl.se/docs/CVE-2016-8622.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.24.0"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "75ca568fa1c19de4c5358fed246686de8467c238"}, {"fixed": "53e71e47d6b81650d26ec33a58d0dca24c7ffb2c"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The URL percent-encoding decode function in libcurl is called\n`curl_easy_unescape`. Internally, even if this function would be made to\nallocate a destination buffer larger than 2GB, it would return that new length\nin a signed 32 bit integer variable, thus the length would get either just\ntruncated or both truncated and turned negative. That could then lead to\nlibcurl writing outside of its heap based buffer.\n\nThis can be triggered by a user on a 64bit system if the user can send in a\ncustom (very large) URL to a libcurl using program." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8623", "aliases": [ "CVE-2016-8623" ], "summary": "Use after free via shared cookies", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-8623.json", "www": "https://curl.se/docs/CVE-2016-8623.html", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.7"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "41ae97e710f728495a1d6adba6476c21b94c4881"}, {"fixed": "c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl explicitly allows users to share cookies between multiple easy handles\nthat are concurrently employed by different threads.\n\nWhen cookies to be sent to a server are collected, the matching function\ncollects all cookies to send and the cookie lock is released immediately\nafterwards. That function however only returns a list with *references* back\nto the original strings for name, value, path and so on. Therefore, if another\nthread quickly takes the lock and frees one of the original cookie structs\ntogether with its strings, a use after free can occur and lead to information\ndisclosure. Another thread can also replace the contents of the cookies from\nseparate HTTP responses or API calls." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8624", "aliases": [ "CVE-2016-8624" ], "summary": "invalid URL parsing with '#'", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8624.json", "www": "https://curl.se/docs/CVE-2016-8624.html", "CWE": { "id": "CWE-172", "desc": "Encoding Error" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "3bb273db7e40ebc284cff45f3ce3f0475c8339c2"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Fernando Muñoz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl does not parse the authority component of the URL correctly when the host\nname part ends with a hash (`#`) character, and could instead be tricked into\nconnecting to a different host. This may have security implications if you for\nexample use a URL parser that follows the RFC to check for allowed domains\nbefore using curl to request them.\n\nPassing in `http://example.com#@evil.com/x.txt` would wrongly make curl send a\nrequest to evil.com while your browser would connect to example.com given the\nsame URL.\n\nThe problem exists for most protocol schemes." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8625", "aliases": [ "CVE-2016-8625" ], "summary": "IDNA 2003 makes curl use wrong host", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8625.json", "www": "https://curl.se/docs/CVE-2016-8625.html", "CWE": { "id": "CWE-838", "desc": "Inappropriate Encoding for Output Context" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.0"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9631fa740708b1890197fad01e25b34b7e8eb80e"}, {"fixed": "9c91ec778104ae3b744b39444d544e82d5ee9ece"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0" ] } ], "credits": [ { "name": "Christian Heimes", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is built with libidn to handle International Domain Names (IDNA), it\ntranslates them to puny code for DNS resolving using the IDNA 2003 standard,\nwhile IDNA 2008 is the modern and up-to-date IDNA standard.\n\nThis misalignment causes problems with for example domains using the German ß\ncharacter (known as the Unicode Character `LATIN SMALL LETTER SHARP S`) which\nis used at times in the `.de` TLD and is translated differently in the two\nIDNA standards, leading to users potentially and unknowingly issuing network\ntransfer requests to the wrong host.\n\nFor example, `straße.de` is translated into `strasse.de` using IDNA 2003 but\nis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those\nhostnames could very well resolve to different addresses and be two\ncompletely independent servers. IDNA 2008 is mandatory for `.de` domains.\n\ncurl is not alone with this problem, as there is currently a big flux in the\nworld of network user-agents about which IDNA version to support and use.\n\nThis name problem exists for DNS-using protocols in curl, but only when built\nto use libidn." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-7167", "aliases": [ "CVE-2016-7167" ], "summary": "curl escape and unescape integer overflows", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-7167.json", "www": "https://curl.se/docs/CVE-2016-7167.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.50.2", "severity": "Medium" }, "published": "2016-09-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.1"}, {"fixed": "7.50.3"} ] } ], "versions": [ "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1" ] } ], "credits": [ { "name": "the Mitre CVE Assignment Team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The four libcurl functions `curl_escape()`, `curl_easy_escape()`,\n`curl_unescape` and `curl_easy_unescape` perform string URL percent escaping\nand unescaping. They accept custom string length inputs in signed integer\narguments. (The functions having names without \"easy\" being the deprecated\nversions of the others.)\n\nThe provided string length arguments were not properly checked and due to\narithmetic in the functions, passing in the length `0xffffffff` (2^32-1 or\n`UINT_MAX` or even just -1) would end up causing an allocation of zero bytes\nof heap memory that curl would attempt to write gigabytes of data into.\n\nThe use of 'int' for this input type in the API is of course unwise but has\nremained so in order to maintain the API over the years." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-7141", "aliases": [ "CVE-2016-7141" ], "summary": "Incorrect reuse of client certificates", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-7141.json", "www": "https://curl.se/docs/CVE-2016-7141.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.50.1", "severity": "High" }, "published": "2016-09-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.19.6"}, {"fixed": "7.50.2"} ] } ], "versions": [ "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6" ] } ], "credits": [ { "name": "Red Hat", "type": "FINDER" }, { "name": "Kamil Dudka", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl built on top of NSS (Network Security Services) incorrectly reused\nclient certificates if a certificate from file was used for one TLS connection\nbut no certificate set for a subsequent TLS connection.\n\nWhile the symptoms are similar to CVE-2016-5420 (Reusing connection with wrong\nclient cert), this vulnerability was caused by an implementation detail of the\nNSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-5419", "aliases": [ "CVE-2016-5419" ], "summary": "TLS session resumption client cert bypass", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-5419.json", "www": "https://curl.se/docs/CVE-2016-5419.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.50.0", "severity": "High" }, "published": "2016-08-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.0"}, {"fixed": "7.50.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "247d890da88f9ee817079e246c59f3d7d12fde5f"} ] } ], "versions": [ "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0" ] } ], "credits": [ { "name": "Bru Rom", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Eric Rescorla", "type": "OTHER" }, { "name": "Ray Satiro", "type": "OTHER" } ], "details": "libcurl would attempt to resume a TLS session even if the client certificate\nhad changed. That is unacceptable since a server by specification is allowed\nto skip the client certificate check on resume, and may instead use the old\nidentity which was established by the previous certificate (or no\ncertificate).\n\nlibcurl supports by default the use of TLS session id/ticket to resume\nprevious TLS sessions to speed up subsequent TLS handshakes. They are used\nwhen for any reason an existing TLS connection could not be kept alive to make\nthe next handshake faster." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-5420", "aliases": [ "CVE-2016-5420" ], "summary": "Reusing connections with wrong client cert", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-5420.json", "www": "https://curl.se/docs/CVE-2016-5420.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.50.0", "severity": "Medium" }, "published": "2016-08-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.50.1"} ] } ], "versions": [ "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "the curl security team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl did not consider client certificates when reusing TLS connections.\n\nlibcurl supports reuse of established connections for subsequent requests. It\ndoes this by keeping a few previous connections \"alive\" in a connection pool\nso that a subsequent request that can use one of them instead of creating a\nnew connection.\n\nWhen using a client certificate for a connection that was then put into the\nconnection pool, that connection could then wrongly get reused in a subsequent\nrequest to that same server that either did not use a client certificate at\nall or that asked to use a different client certificate thus trying to tell\nthe user that it is a different entity.\n\nThis mistakenly using the wrong connection could of course lead to\napplications sending requests to the wrong realms of the server using\nauthentication that it was not supposed to have for those operations." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-5421", "aliases": [ "CVE-2016-5421" ], "summary": "use of connection struct after free", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-5421.json", "www": "https://curl.se/docs/CVE-2016-5421.html", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "last_affected": "7.50.0", "severity": "High" }, "published": "2016-08-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.32.0"}, {"fixed": "7.50.1"} ] } ], "versions": [ "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0" ] } ], "credits": [ { "name": "Marcelo Echeverria", "type": "FINDER" }, { "name": "Fernando Muñoz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a use after free flaw.\n\nlibcurl works with easy handles using the type 'CURL *' that are objects the\napplication creates using `curl_easy_init()`. They are the handles that are all\neach associated with a single transfer at a time. libcurl also has an internal\nstruct that represents and holds most state that is related to a single\nconnection. An easy handle can hold references to one or many such connection\nstructs depending on the requested operations.\n\nWhen using libcurl's multi interface, an application performs transfers by\nadding one or more easy handles to the multi handle and then it can drive all\nthose transfers in parallel.\n\nDue to a flaw, libcurl could leave a pointer to a freed connection struct\ndangling in an easy handle that was previously added to a multi handle when\n`curl_multi_cleanup()` is called with an easy handle still added to it. This\ndoes not seem to cause any notable harm if the handle is then closed properly.\n\nHowever, if the easy handle would instead get used again with the easy\ninterface and `curl_easy_perform()` to do another transfer, it would blindly\nuse the connection struct pointer now pointing to freed memory.\n\nAn application could be made to allocate its own fake version of the connect\nstruct, fill in some data and then have the `curl_easy_perform()` call do\nsomething that clearly was not intended by the original code.\n\nFor example, this could be an application using a component or library that\nuses libcurl to do something against fixed URLs or fixed hostnames or with a\nset of fixed options, but using this flaw the application can then make the\ncomponent to do something completely different and unintended.\n\nPseudo code for a bad application\n\n easy = curl_easy_init();\n curl_easy_setopt(easy, CURLOPT_URL, \"http://example.com/\");\n\n // --- start of code to confuse libcurl ---\n multi = curl_multi_init();\n curl_multi_add_handle(multi, easy);\n curl_multi_perform(multi, &still_running);\n curl_multi_cleanup(multi);\n\n // --- attack code\n allocate_fake_connection_struct()\n fill_in_fake_connection_struct()\n\n // ---- end of confusion code\n\n // now this is called, it will not use example.com at all even if the\n // option above asks for it...\n\n curl_easy_perform(easy);\n\nThis flaw can also be exploited using libcurl bindings in other languages." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-4802", "aliases": [ "CVE-2016-4802" ], "summary": "Windows DLL hijacking", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-4802.json", "www": "https://curl.se/docs/CVE-2016-4802.html", "CWE": { "id": "CWE-94", "desc": "Improper Control of Generation of Code ('Code Injection')" }, "last_affected": "7.49.0", "severity": "High" }, "published": "2016-05-30T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.1"}, {"fixed": "7.49.1"} ] } ], "versions": [ "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1" ] } ], "credits": [ { "name": "Guohui from Huawei WeiRan Labs", "type": "FINDER" }, { "name": "Steve Holme", "type": "REMEDIATION_DEVELOPER" }, { "name": "Stefan Kanthak", "type": "OTHER" }, { "name": "Jay Satiro", "type": "OTHER" } ], "details": "libcurl would load Windows system DLLs in a manner that may make it vulnerable\nto a DLL hijacking (aka binary planting) attack in certain configurations.\n\nlibcurl has a unified code base that builds and runs on a multitude of\ndifferent versions of Windows. To make that possible, when libcurl is built\nwith SSPI or telnet is used, it dynamically loads some of the necessary system\nDLLs at runtime by calling `LoadLibrary()`. No path is specified for these\nDLLs.\n\nTo find a DLL when no path is specified `LoadLibrary()` follows [DLL search\norder](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586.aspx#search_order_for_desktop_applications)\nto load it. If it is a \"known DLL\" no searching is done, the system copy is\nused. If it is not a \"known DLL\": The application directory is searched first.\nThe current directory is searched next, if DLL safe search mode is not\nenabled. The system directory is searched next.\n\nThe 3 system DLLs libcurl loads dynamically are `security.dll`, `secur32.dll`\nand `ws2_32.dll` (a \"known DLL\" when installed). These DLLs may not be present\non some versions of Windows, which is why they are loaded\ndynamically. Depending on a number of factors outlined in the DLL search order\ndocument it may be possible for an attacker to plant a DLL of the same name in\nthe user's current directory, application directory or other directory in the\nDLL search order, thereby possibly causing it to be loaded first.\n\n**Recent versions of Windows include all 3 of those dynamically loaded system\nDLLs and also enable safe DLL search mode by default. Therefore in such a case\n`ws2_32.dll` could not be planted, and `security.dll` or `secur32.dll` could\nonly be planted in the application directory.**\n\nTo address this issue we have changed libcurl so that any system DLL it\ndynamically loads in Windows is done in the most secure way available.\n\nNote if an attacker has the ability to write new files to your application\ndirectory they can likely still plant DLLs to be loaded in any case, load-time\nor runtime. This is by design in Windows DLL loading (refer the the DLL\nsearch order doc). For example it may be possible to override DLL search paths\nby planting an app.exe.local file or possibly a fake manifest. There is\nnothing we can do to prevent against this. We advise you to guard write\npermissions on your application directory.\n\n**Also note it is may still be possible for planting attacks to be done\nagainst load-time DLLs used by libcurl and the curl tool. This is because\nWindows loads those DLLs and their dependencies without specifying a\npath. There is nothing we can do to fix this, it is endemic in the design of\nWindows. We advise you to guard write permissions on your application\ndirectory.**" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-3739", "aliases": [ "CVE-2016-3739" ], "summary": "TLS certificate check bypass with mbedTLS/PolarSSL", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-3739.json", "www": "https://curl.se/docs/CVE-2016-3739.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.48.0", "severity": "High" }, "published": "2016-05-18T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.0"}, {"fixed": "7.49.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "51427e1947ddc07b4ce8ad9dcb04846125170f83"}, {"fixed": "6efd2fa529a189bf41736a610f6184cd8ad94b4d"} ] } ], "versions": [ "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0" ] } ], "credits": [ { "name": "Moti Avrahami", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl did not check the server certificate of TLS connections done to a host\nspecified as an IP address, or when explicitly asked to use SSLv3.\n\nThis flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the\nTLS backend.\n\nThe documentation for mbedTLS and PolarSSL (wrongly) says that the API\nfunction `ssl_set_hostname()` is used only for setting the name for the TLS\nextension SNI. The set string is however even more importantly used by the\nlibraries to verify the server certificate, and if no \"hostname\" is set it\njust skips the check and successfully continue with the handshake.\n\nlibcurl would wrongly avoid using the function when the specified hostname was\ngiven as an IP address or when SSLv3 is used, as SNI is not supposed to be\nused then. This then leads to that all uses of TLS oriented protocols (HTTPS,\nFTPS, IMAPS, POPS3, SMTPS, etc) allows connections to servers with unverified\nserver certificates as long as they are specified as IP addresses or using\nSSLv3.\n\nBy tricking a libcurl-using client to use a URL with a host specified as IP\naddress only, an application could be made to connect to an impostor server or\nMan In The Middle host without noticing.\n\nNote: PolarSSL is the old name and releases of the library that nowadays is\nknown and released under the name mbedTLS." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-0754", "aliases": [ "CVE-2016-0754" ], "summary": "remote filename path traversal in curl tool for Windows", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2016-0754.json", "www": "https://curl.se/docs/CVE-2016-0754.html", "CWE": { "id": "CWE-22", "desc": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "last_affected": "7.46.0", "severity": "High" }, "published": "2016-01-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.47.0"} ] } ], "versions": [ "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Ray Satiro (Jay)", "type": "FINDER" }, { "name": "Ray Satiro (Jay)", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl does not sanitize colons in a remote filename that is used as the local\nfilename. This may lead to a vulnerability on systems where the colon is a\nspecial path character. Currently Windows is the only OS where this\nvulnerability applies.\n\ncurl offers command line options --remote-name (also usable as `-O`) and\n`--remote-header-name` (also usable as `-J`). When both of those options are\nused together (-OJ) and the server provides a remote filename for the content,\ncurl writes its output to that server-provided filename, as long as that file\ndoes not already exist. If it does exist curl fails to write.\n\nIf both options are used together (`-OJ`) but the server does not provide a\nremote filename, or if `-O` is used without `-J`, curl writes output to a\nfilename based solely on the remote filename in the URL string provided by the\nuser, regardless of whether or not that file already exists.\n\nIn either case curl does not sanitize colons in the filename. As a result in\nWindows it is possible and unintended behavior for curl to write to a file in\nthe working directory of a drive that is not the current drive (i.e. outside\nthe current working directory), and also possible to write to a file's\nalternate data stream.\n\nFor example if curl `-OJ` and the server sends filename=f:foo curl incorrectly\nwrites foo to the working directory for drive F even if drive F is not the\ncurrent drive. For a more detailed explanation see the 'MORE BACKGROUND AND\nEXAMPLE' section towards the end of this advisory.\n\nThough no known exploit is available for this issue at the time of the\npublication, writing one would be undemanding and could be serious depending\non the name of the file and where it ends up being written." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-0755", "aliases": [ "CVE-2016-0755" ], "summary": "NTLM credentials not-checked for proxy connection reuse", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-0755.json", "www": "https://curl.se/docs/CVE-2016-0755.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.46.0", "severity": "Medium" }, "published": "2016-01-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.7"}, {"fixed": "7.47.0"} ] } ], "versions": [ "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7" ] } ], "credits": [ { "name": "Isaac Boukris", "type": "FINDER" }, { "name": "Isaac Boukris", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl reuses NTLM-authenticated proxy connections without properly making\nsure that the connection was authenticated with the same credentials as set\nfor this transfer.\n\nlibcurl maintains a pool of connections after a transfer has completed. The\npool of connections is then gone through when a new transfer is requested and\nif there is a live connection available that can be reused, it is preferred\ninstead of creating a new one.\n\nSince NTLM-based authentication is *connection oriented* instead of *request\noriented* as other HTTP based authentication, it is important that only\nconnections that have been authenticated with the correct username + password\nare reused. This was done properly for server connections already, but libcurl\nfailed to do it properly for proxy connections using NTLM.\n\nA libcurl application can easily switch user credentials used for a proxy\nconnection between two requests, and that subsequent transfer then MUST make\nlibcurl use another connection. libcurl previously failed to do so.\n\nThe effects of this flaw, is that the application could be reusing a proxy\nconnection using the previously used credentials and thus it could be given to\nor prevented access from resources that it was not intended to.\n\nThis problem is very similar to\n[CVE-2014-0015](https://curl.se/docs/CVE-2014-0015.html), which was for\ndirect server connections while this is for proxy connections." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3237", "aliases": [ "CVE-2015-3237" ], "summary": "SMB send off unrelated memory contents", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3237.json", "www": "https://curl.se/docs/CVE-2015-3237.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.42.1", "severity": "High" }, "published": "2015-06-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.40.0"}, {"fixed": "7.43.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e80d9d5902f38407d971587f2a6b7b839247ca92"}, {"fixed": "50c7f17e503fbab5081b69c97f9d4645389b9270"} ] } ], "versions": [ "7.42.1", "7.42.0", "7.41.0", "7.40.0" ] } ], "credits": [ { "name": "Daniel Stenberg", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can get tricked by a malicious SMB server to send off data it did not\nintend to.\n\nIn libcurl's state machine function handling the SMB protocol\n(`smb_request_state()`), two length and offset values are extracted from data\nthat has arrived over the network, and those values are subsequently used to\nfigure out what data range to send back.\n\nThe values are used and trusted without boundary checks and are just assumed\nto be valid. This allows carefully handcrafted packages to trick libcurl into\nresponding and sending off data that was not intended. Or just crash if the\nvalues cause libcurl to access invalid memory." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3236", "aliases": [ "CVE-2015-3236" ], "summary": "lingering HTTP credentials in connection reuse", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3236.json", "www": "https://curl.se/docs/CVE-2015-3236.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.42.1", "severity": "High" }, "published": "2015-06-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.40.0"}, {"fixed": "7.43.0"} ] } ], "versions": [ "7.42.1", "7.42.0", "7.41.0", "7.40.0" ] } ], "credits": [ { "name": "Tomas Tomecek", "type": "FINDER" }, { "name": "Kamil Dudka", "type": "FINDER" }, { "name": "Kamil Dudka", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can wrongly send HTTP credentials when reusing connections.\n\nlibcurl allows applications to set credentials for the upcoming transfer with\nHTTP Basic authentication, like with `CURLOPT_USERPWD` for example. Name and\npassword. Just like all other libcurl options the credentials are sticky and\nare kept associated with the \"handle\" until something is made to change the\nsituation.\n\nFurther, libcurl offers a `curl_easy_reset()` function that resets a handle\nback to its pristine state in terms of all settable options. A reset is of\ncourse also supposed to clear the credentials. A reset is typically used to\nclear up the handle and prepare it for a new, possibly unrelated, transfer.\n\nWithin such a handle, libcurl can also store a set of previous connections in\ncase a second transfer is requested to a hostname for which an existing\nconnection is already kept alive.\n\nWith this flaw present, using the handle even after a reset would make libcurl\naccidentally use those credentials in a subsequent request if done to the same\nhostname and connection as was previously accessed.\n\nAn example case would be first requesting a password protected resource from\none section of a website, and then do a second request of a public resource\nfrom a completely different part of the site without authentication. This flaw\nwould then inadvertently leak the credentials in the second request." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3153", "aliases": [ "CVE-2015-3153" ], "summary": "sensitive HTTP server headers also sent to proxies", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3153.json", "www": "https://curl.se/docs/CVE-2015-3153.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.42.0", "severity": "High" }, "published": "2015-04-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.42.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "6ba2e88a642434bd0ffa95465e4a7d034d03ea10"} ] } ], "versions": [ "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Yehezkel Horowitz", "type": "FINDER" }, { "name": "Oren Souroujon", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides applications a way to set custom HTTP headers to be sent to\nthe server by using `CURLOPT_HTTPHEADER`. A similar option is available for\nthe curl command-line tool with the '--header' option.\n\nWhen the connection passes through an HTTP proxy the same set of headers is\nsent to the proxy as well by default. While this is by design, it has not\nnecessarily been clear nor understood by application programmers.\n\nSuch tunneling over a proxy is done for example when using the HTTPS protocol\n- or when explicitly asked for. In this case, the initial connection to the\nproxy is made in clear including any custom headers using the HTTP CONNECT\nmethod.\n\nWhile libcurl provides the `CURLOPT_HEADEROPT` option to allow applications to\ntell libcurl if the headers should be sent to host and the proxy or use\nseparate lists to the different destinations, it has still defaulted to\nsending the same headers to both parties for the sake of compatibility.\n\nIf the application sets a custom HTTP header with sensitive content (e.g.,\nauthentication cookies) without changing the default, the proxy, and anyone\nwho listens to the traffic between the application and the proxy, might get\naccess to those values.\n\nNote: this problem does not exist when using the `CURLOPT_COOKIE` option (or\nthe `--cookie` option) or the HTTP auth options, which are always sent only to\nthe destination server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3144", "aliases": [ "CVE-2015-3144" ], "summary": "hostname out of boundary memory access", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3144.json", "www": "https://curl.se/docs/CVE-2015-3144.html", "CWE": { "id": "CWE-124", "desc": "Buffer Underwrite ('Buffer Underflow')" }, "last_affected": "7.41.0", "severity": "Medium" }, "published": "2015-04-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.37.0"}, {"fixed": "7.42.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "5de8d84098db1bd24e7fffefbe14e81f2a05995a"}, {"fixed": "0583e87ada7a3cfb10904ae4ab61b339582c5bd3"} ] } ], "versions": [ "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0" ] } ], "credits": [ { "name": "Hanno Böck", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "There is a private function in libcurl called `fix_hostname()` that removes a\ntrailing dot from the hostname if there is one. The function is called after\nthe hostname has been extracted from the URL libcurl has been told to act on.\n\nIf a URL is given with a zero-length hostname, like in \"http://:80\" or just\n\":80\", `fix_hostname()` indexes the hostname pointer with a -1 offset (as it\nblindly assumes a non-zero length) and both read and assign that address.\n\nAt best, this gets unnoticed but can also lead to a crash or worse. We have\nnot researched further what kind of malicious actions that potentially this\ncould be used for." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3145", "aliases": [ "CVE-2015-3145" ], "summary": "cookie parser out of boundary memory access", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3145.json", "www": "https://curl.se/docs/CVE-2015-3145.html", "CWE": { "id": "CWE-124", "desc": "Buffer Underwrite ('Buffer Underflow')" }, "last_affected": "7.41.0", "severity": "Medium" }, "published": "2015-04-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.31.0"}, {"fixed": "7.42.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d"}, {"fixed": "b5f947b8ac0e282c61c75b69cd5b9d37dafc6959"} ] } ], "versions": [ "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0" ] } ], "credits": [ { "name": "Hanno Böck", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl supports HTTP \"cookies\" as documented in RFC 6265. Together with each\nindividual cookie there are several different properties, but for this\nvulnerability we focus on the associated \"path\" element. It tells information\nabout for which path on a given host the cookie is valid.\n\nThe internal libcurl function called `sanitize_cookie_path()` that cleans up\nthe path element as given to it from a remote site or when read from a file,\ndid not properly validate the input. If given a path that consisted of a\nsingle double-quote, libcurl would index a newly allocated memory area with\nindex -1 and assign a zero to it, thus destroying heap memory it was not\nsupposed to.\n\nAt best, this gets unnoticed but can also lead to a crash or worse. We have\nnot researched further what kind of malicious actions that potentially this\ncould be used for.\n\nApplications have to explicitly enable cookie parsing in libcurl for this\nproblem to trigger, and if not enabled libcurl does not hit this problem." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3148", "aliases": [ "CVE-2015-3148" ], "summary": "Negotiate not treated as connection-oriented", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3148.json", "www": "https://curl.se/docs/CVE-2015-3148.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.41.0", "severity": "Medium" }, "published": "2015-04-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.42.0"} ] } ], "versions": [ "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Isaac Boukris", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps a pool of its last few connections around after use to\nfacilitate easy, convenient and completely transparent connection reuse for\napplications.\n\nWhen doing HTTP requests Negotiate authenticated, the entire connection may\nbecome authenticated and not just the specific HTTP request which is otherwise\nhow HTTP works, as Negotiate can basically use NTLM under the hood. curl was\nnot adhering to this fact but would assume that such requests would also be\nauthenticated per request.\n\nThe net effect is that libcurl may end up reusing an authenticated Negotiate\nconnection and sending subsequent requests on it using new credentials, while\nthe connection remains authenticated with a previous initial credentials\nsetup." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3143", "aliases": [ "CVE-2015-3143" ], "summary": "Reusing authenticated connection when unauthenticated", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3143.json", "www": "https://curl.se/docs/CVE-2015-3143.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.41.0", "severity": "Medium" }, "published": "2015-04-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.42.0"} ] } ], "versions": [ "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Paras Sethia", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps a pool of its last few connections around after use to\nfacilitate easy, convenient and completely transparent connection reuse for\napplications.\n\nWhen doing HTTP requests NTLM authenticated, the entire connection becomes\nauthenticated and not just the specific HTTP request which is otherwise how\nHTTP works. This makes NTLM special and a subject for special treatment in the\ncode. With NTLM, once the connection is authenticated, no further\nauthentication is necessary until the connection gets closed.\n\nlibcurl's connection reuse logic selects an existing connection for reuse\nwhen asked to do a request, and when asked to use NTLM libcurl have to pick a\nconnection with matching credentials only.\n\nIf a connection was first setup and used for an NTLM HTTP request with a\nspecific set of credentials, that same connection could later wrongly get\nreused in a subsequent HTTP request that was made to the same host - but\nwithout having any credentials set! Since an NTLM connection was already\nauthenticated due to how NTLM works, the subsequent request could then get\nsent over the wrong connection appearing as the initial user.\n\nThis problem is very similar to the previous problem known as\n[CVE-2014-0015](https://curl.se/docs/CVE-2014-0015.html). The main difference\nthis time is that the subsequent request that wrongly reuse a connection does\nnot ask for NTLM authentication." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-8151", "aliases": [ "CVE-2014-8151" ], "summary": "Secure Transport certificate check bypass", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-8151.json", "www": "https://curl.se/docs/CVE-2014-8151.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.39.0", "severity": "Medium" }, "published": "2015-01-08T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.31.0"}, {"fixed": "7.40.0"} ] } ], "versions": [ "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0" ] } ], "credits": [ { "name": "Marc Hesse at RethinkDB", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl stores TLS Session IDs in its associated Session ID cache when it\nconnects to TLS servers. In subsequent connects it reuses the entry in the\ncache to resume the TLS connection faster than when doing a full TLS\nhandshake. The actual implementation for the Session ID caching varies\ndepending on the underlying TLS backend.\n\nlibcurl allows applications to switch off certificate verification in two\ndifferent ways - using `CURLOPT_SSL_VERIFYHOST` and `CURLOPT_SSL_VERIFYPEER`.\n\nWhen an application connected to a TLS server with certificate verification\ndisabled, it would store the Session ID in the cache and if then a subsequent\nconnection was made against the same host and port number, it would reuse the\nformer session and thanks to the the reused session from the cache, it would\nskip the certificate check and wrongly accept any bad certificate that could\nbe presented.\n\nThe problem was that the \"key\" used for caching Session IDs did not take the\ncertificate check status into account.\n\nThis problem is specific to libcurl built to use the Secure Transport backend\nfor TLS, so it can only affect Mac and iPhone based applications." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-8150", "aliases": [ "CVE-2014-8150" ], "summary": "URL request injection", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-8150.json", "www": "https://curl.se/docs/CVE-2014-8150.html", "CWE": { "id": "CWE-444", "desc": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')" }, "last_affected": "7.39.0", "severity": "High" }, "published": "2015-01-08T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.40.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "178bd7db34f77e020fb8562890c5625ccbd67093"} ] } ], "versions": [ "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Andrey Labunets (Facebook)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl sends a request to a server via an HTTP proxy, it copies the\nentire URL into the request and sends if off.\n\nIf the given URL contains line feeds and carriage returns those are sent along\nto the proxy too, which allows the program to for example send a separate HTTP\nrequest injected embedded in the URL.\n\nMany programs allow some kind of external sources to set the URL or provide\npartial pieces for the URL to ask for, and if the URL as received from the\nuser is not stripped good enough this flaw allows malicious users to do\nadditional requests in a way that was not intended, or just to insert request\nheaders into the request that the program did not intend." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-3707", "aliases": [ "CVE-2014-3707" ], "summary": "duphandle read out of bounds", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2014-3707.json", "www": "https://curl.se/docs/CVE-2014-3707.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.38.0", "severity": "Medium" }, "published": "2014-11-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.17.1"}, {"fixed": "7.39.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a005243908803662d4a05427bc1061db42f4d057"}, {"fixed": "b3875606925536f82fc61f3114ac42f29eaf6945"} ] } ], "versions": [ "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1" ] } ], "credits": [ { "name": "Symeon Paraschoudis", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Stas Malyshev", "type": "OTHER" }, { "name": "Dan Fandrich", "type": "OTHER" }, { "name": "Tomas Hoger", "type": "OTHER" } ], "details": "libcurl's function\n[`curl_easy_duphandle()`](https://curl.se/libcurl/c/curl_easy_duphandle.html)\nhas a bug that can lead to libcurl eventually sending off sensitive data that\nwas not intended for sending.\n\nWhen doing an HTTP POST transfer with libcurl, you can use the\n`CURLOPT_COPYPOSTFIELDS` option to specify a memory area holding the data to\nsend to the remote server. The memory area's size is set with a separate\noption, for example `CURLOPT_POSTFIELDSIZE`.\n\nAs the name implies, the data in the specified buffer is copied to a privately\nheld memory buffer that libcurl allocates on the heap. The memory area is\nassociated with the common CURL handle, often referred to as an \"easy handle\".\n\nThis handle can be duplicated by an application to create an identical copy,\nand all the already set options and data is then also similarly cloned and are\nbe associated with the newly returned handle. This also includes the data to\nsend in an HTTP POST request.\n\nThe internal libcurl function that duplicates options from the old handle to\nthe new had two problems:\n\n1. It mistakenly treated the post data buffer as if it was a C string which is\n assumed to end with a zero byte. `strdup()` was subsequently used to\n duplicate the post data buffer, and as a post data buffer can both\n legitimately contain a zero byte, or may not contain any zero bytes at all\n (including a tailing one), `strdup()` could create a copy that a) was too\n small b) was too large or c) could crash due to reading an inaccessible\n memory area. The `strdup()` function of course allocates memory off the\n heap.\n\n2. After duplication of the handle data, the pointer used to read from when\n sending the data was not updated. When sending off the post, libcurl would\n still read from the original handle's buffer which at that time could have\n been freed or reused for other purposes.\n\nWhen libcurl subsequently constructs the HTTP POST request and includes data\nfor the protocol body it copies data from that pointer using the old size and\nthe old pointer. This makes a read from the wrong place and can lead to\nlibcurl inserting data into the request that happens to be stored at that\nplaces in memory at that time.\n\nWe are not aware of anyone having been able to actually exploit this for\nnefarious purposes, but we cannot exclude that it is possible or even might\nalready have been exploited." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-3620", "aliases": [ "CVE-2014-3620" ], "summary": "cookie leak for TLDs", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-3620.json", "www": "https://curl.se/docs/CVE-2014-3620.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.37.1", "severity": "High" }, "published": "2014-09-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.31.0"}, {"fixed": "7.38.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "85b9dc80232d1d7d48ee4dea6db5a2263ee68efd"}, {"fixed": "a76825a5efa6b41d3a1d4f275dada2f017f6f566"} ] } ], "versions": [ "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0" ] } ], "credits": [ { "name": "Tim Ruehsen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus\nmaking them apply broader than cookies are allowed. This can allow arbitrary\nsites to set cookies that then would get sent to a different and unrelated\nsite or domain." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-3613", "aliases": [ "CVE-2014-3613" ], "summary": "cookie leak with IP address as domain", "modified": "2024-02-08T00:03:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-3613.json", "www": "https://curl.se/docs/CVE-2014-3613.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.37.1", "severity": "Medium" }, "published": "2014-09-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.38.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8a75dbeb2305297640453029b7905ef51b87e8dd"} ] } ], "versions": [ "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Tim Ruehsen", "type": "FINDER" }, { "name": "Tim Ruehsen", "type": "REMEDIATION_DEVELOPER" } ], "details": "By not detecting and rejecting domain names for partial literal IP addresses\nproperly when parsing received HTTP cookies, libcurl can be fooled to both\nsending cookies to wrong sites and into allowing arbitrary sites to set\ncookies for others.\n\nFor this problem to trigger, the client application must use the numerical\nIP address in the URL to access the site and the site must send back cookies\nto the site using domain= and a partial IP address.\n\nSince libcurl wrongly approaches the IP address like it was a normal domain\nname, a site at IP address `192.168.0.1` can set cookies for anything ending\nwith `.168.0.1` thus fooling libcurl to send them also to for example\n`129.168.0.1`.\n\nThe flaw requires dots to be present in the IP address, which restricts the\nflaw to IPv4 literal addresses or IPv6 addresses using the somewhat unusual\n\"dotted-quad\" style: `::ffff:192.0.2.128`.\n\nThis is not believed to be done by typical sites as this is not supported by\nclients that adhere to the rules of the RFC 6265, and many sites are written\nto explicitly use their own specific named domain when sending cookies." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-2522", "aliases": [ "CVE-2014-2522" ], "summary": "not verifying certs for TLS to IP address / Schannel", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-2522.json", "www": "https://curl.se/docs/CVE-2014-2522.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.35.0", "severity": "Medium" }, "published": "2014-03-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.36.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "aaa42aa0d594b95c6c670a373ba30c507aa0a5ed"}, {"fixed": "63fc8ee7be2b712e7af5029f4f8a86a0dfd71b38"} ] } ], "versions": [ "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "David Ryskalczyk", "type": "FINDER" }, { "name": "David Ryskalczyk", "type": "REMEDIATION_DEVELOPER" }, { "name": "Marc Hoersken", "type": "OTHER" } ], "details": "When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified\nwith an IP address instead of a name, libcurl would wrongly not verify the\nserver's name in the certificate. The signature (whether it was signed by a\ntrusted CA) and validity (whether the date was within the certificate's\nlifetime and it was not revoked) verification was still performed.\n\nThis is a problem in libcurl built to use the Schannel TLS backend.\nSchannel is the native library provided by Microsoft Windows.\n\nOnly users on Windows can be affected by this, and only if libcurl was built\nto use the native TLS backend library." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-1263", "aliases": [ "CVE-2014-1263" ], "summary": "not verifying certs for TLS to IP address / Secure Transport", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-1263.json", "www": "https://curl.se/docs/CVE-2014-1263.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.35.0", "severity": "Medium" }, "published": "2014-03-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.27.0"}, {"fixed": "7.36.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "6d1ea388cbd9de7f2a944a0c64f5feaec1b1904a"}, {"fixed": "afc6e5004fabee590e41ffe750a237e1187fbbbd"} ] } ], "versions": [ "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0" ] } ], "credits": [ { "name": "Roland Moriz", "type": "FINDER" }, { "name": "David Ryskalczyk", "type": "REMEDIATION_DEVELOPER" }, { "name": "Nick Zitzmann", "type": "OTHER" } ], "details": "When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified\nwith an IP address instead of a name, libcurl would wrongly not verify the\nserver's name in the certificate. The signature (whether it was signed by a\ntrusted CA) and validity (whether the date was within the certificate's\nlifetime and it was not revoked) verification was still performed.\n\nThis is a problem in libcurl built to use the Secure Transport backend. Secure\nTransport is the TLS library present and used on Mac OS X and iOS.\n\nOnly users on Mac OS X or iOS can be affected by this, and only if libcurl was\nbuilt to use the native TLS backend library.\n\nThis problem was initially used as an example of the Apple SSL bug that hit\n[the news in late February\n2014](https://www.imperialviolet.org/2014/02/22/applebug.html) but that was\nnot correct." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-0139", "aliases": [ "CVE-2014-0139" ], "summary": "IP address wildcard certificate validation", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-0139.json", "www": "https://curl.se/docs/CVE-2014-0139.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.35.0", "severity": "Medium" }, "published": "2014-03-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.3"}, {"fixed": "7.36.0"} ] } ], "versions": [ "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3" ] } ], "credits": [ { "name": "Richard Moore", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl incorrectly validates wildcard SSL certificates containing literal\nIP addresses.\n\nRFC 2818 covers the requirements for matching Common Names (CNs) and\nsubjectAltNames in order to establish valid SSL connections. It first\ndiscusses CNs that are for hostnames, and the rules for wildcards in this\ncase. The next paragraph in the RFC then discusses CNs that are IP addresses:\n\n'In some cases, the URI is specified as an IP address rather than a\nhostname. In this case, the `iPAddress` subjectAltName must be present in the\ncertificate and must exactly match the IP in the URI.'\n\nThe intention of the RFC is clear in that you should not be able to use\nwildcards with IP addresses (in order to avoid the ability to perform\nman-in-the-middle attacks). Unfortunately libcurl fails to adhere to this\nrule under certain conditions, and subsequently it would allow and use a\nwildcard match specified in the CN field.\n\nExploiting this flaw, a malicious server could participate in a MITM attack or\njust easier fool users that it is a legitimate site for whatever purpose, when\nit actually is not.\n\nA good CA should refuse to issue a certificate with the CN as indicated,\nhowever there only need be one CA to issue one in error for this issue to\nresult in the user getting no warning at all and being vulnerable to MITM.\n\nThis flaw is only present in libcurl when built to use one out of a few\nspecific TLS libraries: OpenSSL, axTLS, qsossl or gskit.\n\nThis problem is similar to one previously reported by Richard Moore, found in\nmultiple browsers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-0138", "aliases": [ "CVE-2014-0138" ], "summary": "wrong reuse of connections", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-0138.json", "www": "https://curl.se/docs/CVE-2014-0138.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.35.0", "severity": "Medium" }, "published": "2014-03-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.36.0"} ] } ], "versions": [ "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Steve Holme", "type": "FINDER" }, { "name": "Steve Holme", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can in some circumstances reuse the wrong connection when asked to\ndo transfers using other protocols than HTTP and FTP.\n\nlibcurl features a pool of recent connections so that subsequent requests\ncan reuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to an\nerror in the code, a transfer that was initiated by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. The existing logic basically only\nworked well enough for HTTP and FTP, while all other network protocols were\nsilently, but erroneously, assumed to work like HTTP. Basically, protocols\nthat use connection oriented authentication need a new connection when new\ncredentials are used.\n\nAffected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and\nLDAP(S).\n\nApplications can disable libcurl's reuse of connections and thus mitigate\nthis problem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).\n\n(This problem is very similar to a problem previously reported to NTLM HTTP\nconnections, named [CVE-2014-0015](CVE-2014-0015.html))" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-0015", "aliases": [ "CVE-2014-0015" ], "summary": "reuse of wrong HTTP NTLM connection", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-0015.json", "www": "https://curl.se/docs/CVE-2014-0015.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.34.0", "severity": "Medium" }, "published": "2014-01-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.35.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "73c5f24fa40460f41d6cd9114827383edc57e287"}, {"fixed": "8ae35102c43d8d06572c3a1292eb6e27e663c78d"} ] } ], "versions": [ "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Paras Sethia", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Yehezkel Horowitz", "type": "OTHER" } ], "details": "libcurl can in some circumstances reuse the wrong connection when asked to\ndo an NTLM-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests\ncan reuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNTLM authenticates connections and not requests, contrary to how HTTP is\ndesigned to work and how other authentication methods work.\n\nAn application that allows NTLM and another auth method (the bug only triggers\nif more than one auth method is asked for) to a server (that responds wanting\nNTLM) with user1:password1 and then does another operation to the same server\nwith user2:password2 (when the previous connection was left alive) - the\nsecond request reuses the same connection and since it then sees that the\nNTLM negotiation is already made, it just sends the request over that\nconnection thinking it uses the user2 credentials when it is in fact still\nusing the connection authenticated for user1...\n\nThe set of auth methods to use is set with `CURLOPT_HTTPAUTH`.\n\nTwo common auth defines in libcurl are `CURLAUTH_ANY` and `CURLAUTH_ANYSAFE`.\nBoth of them ask for NTLM and other methods and can therefore trigger this\nproblem.\n\nApplications can disable libcurl's reuse of connections and thus mitigate\nthis problem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API)." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-6422", "aliases": [ "CVE-2013-6422" ], "summary": "cert name check ignore with GnuTLS", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2013-6422.json", "www": "https://curl.se/docs/CVE-2013-6422.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.33.0", "severity": "Medium" }, "published": "2013-12-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.21.4"}, {"fixed": "7.34.0"} ] } ], "versions": [ "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4" ] } ], "credits": [ { "name": "Marc Deslauriers", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "(This issue is almost identical to the one named\n [CVE-2013-4545](CVE-2013-4545.html), but this problem affects a different SSL\n backend.)\n\n libcurl is vulnerable to a case of missing out the checking of the\n certificate `CN` or `SAN` name field when the digital signature verification\n is turned off.\n\n libcurl offers two separate and independent options for verifying a server's\n TLS certificate. `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. The\n first one tells libcurl to verify the trust chain using a CA cert bundle,\n while the second tells libcurl to make sure that the name fields in the\n server certificate meets the criteria. Both options are enabled by default.\n\n This flaw had the effect that when an application disabled\n `CURLOPT_SSL_VERIFYPEER`, libcurl mistakenly also skipped the\n `CURLOPT_SSL_VERIFYHOST` check. Applications can disable\n `CURLOPT_SSL_VERIFYPEER` and still achieve security by doing the check on\n its own using other means.\n\n The curl command line tool is not affected by this problem as it either\n enables both options or disables both at the same time." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-4545", "aliases": [ "CVE-2013-4545" ], "summary": "cert name check ignore OpenSSL", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2013-4545.json", "www": "https://curl.se/docs/CVE-2013-4545.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.32.0", "severity": "Medium" }, "published": "2013-11-15T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.18.0"}, {"fixed": "7.33.0"} ] } ], "versions": [ "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0" ] } ], "credits": [ { "name": "Scott Cantor", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a case of missing out the checking of the\n certificate CN or SAN name field when the digital signature verification is\n turned off.\n\n libcurl offers two separate and independent options for verifying a server's\n TLS certificate. `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. The\n first one tells libcurl to verify the trust chain using a CA cert bundle,\n while the second tells libcurl to make sure that the name fields in the\n server certificate meets the criteria. Both options are enabled by default.\n\n This flaw had the effect that when an application disabled\n `CURLOPT_SSL_VERIFYPEER`, libcurl mistakenly also disabled the\n `CURLOPT_SSL_VERIFYHOST` check. Applications can disable\n `CURLOPT_SSL_VERIFYPEER` and still achieve security by doing the check on\n its own using other means.\n\n The curl command line tool is not affected by this problem as it either\n enables both options or disables both at the same time." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-2174", "aliases": [ "CVE-2013-2174" ], "summary": "URL decode buffer boundary flaw", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2013-2174.json", "www": "https://curl.se/docs/CVE-2013-2174.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.30.0", "severity": "High" }, "published": "2013-06-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.31.0"} ] } ], "versions": [ "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Timo Sirainen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a case of bad checking of the input data which may\n lead to heap corruption.\n\n The function curl_easy_unescape() decodes URL encoded strings to raw binary\n data. URL encoded octets are represented with %HH combinations where HH is a\n two-digit hexadecimal number. The decoded string is written to an allocated\n memory area that the function returns to the caller.\n\n The function takes a source string and a length parameter, and if the length\n provided is 0 the function instead uses strlen() to figure out how much data\n to parse.\n\n The \"%HH\" parser wrongly only considered the case where a zero byte would\n terminate the input. If a length-limited buffer was passed in which ended\n with a '%' character which was followed by two hexadecimal digits outside of\n the buffer libcurl was allowed to parse alas without a terminating zero,\n libcurl would still parse that sequence as well. The counter for remaining\n data to handle would then be decreased too much and wrap to become a very\n large integer and the copying would go on too long and the destination\n buffer that is allocated on the heap would get overwritten.\n\n We consider it unlikely that programs allow user-provided strings unfiltered\n into this function. Also, only the not zero-terminated input string use case\n is affected by this flaw. Exploiting this flaw for gain is probably possible\n for specific circumstances but we consider the general risk for this to be\n low.\n\n The curl command line tool is not affected by this problem as it does not\n use this function." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-1944", "aliases": [ "CVE-2013-1944" ], "summary": "cookie domain tailmatch", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2013-1944.json", "www": "https://curl.se/docs/CVE-2013-1944.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.29.0", "severity": "High" }, "published": "2013-04-12T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.7"}, {"fixed": "7.30.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "2eb8dcf26cb37f09cffe26909a646e702dbcab66"} ] } ], "versions": [ "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7" ] } ], "credits": [ { "name": "YAMADA Yasuharu", "type": "FINDER" }, { "name": "YAMADA Yasuharu", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a cookie leak vulnerability when doing requests\n across domains with matching tails.\n\n When communicating over HTTP(S) and having libcurl's cookie engine enabled,\n libcurl stores and holds cookies for use when subsequent requests are done\n to hosts and paths that match those kept cookies. Due to a bug in the\n tailmatching function, libcurl could wrongly send cookies meant for the\n domain 'ample.com' when communicating with 'example.com'.\n\n This vulnerability can be used to hijack sessions in targeted attacks since\n registering domains using a known domain's name as an ending is trivial.\n\n Both curl the command line tool and applications using the libcurl library\n are vulnerable." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-0249", "aliases": [ "CVE-2013-0249" ], "summary": "SASL buffer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2013-0249.json", "www": "https://curl.se/docs/CVE-2013-0249.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.28.1", "severity": "Critical" }, "published": "2013-02-06T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.26.0"}, {"fixed": "7.29.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "7a2647e16237a2771f564d432d96a6f198a0eeb5"}, {"fixed": "f206d6c055d1008f0edb6d5d5920f0f300b9983a"} ] } ], "versions": [ "7.28.1", "7.28.0", "7.27.0", "7.26.0" ] } ], "credits": [ { "name": "Volema", "type": "FINDER" }, { "name": "Volema", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a buffer overflow vulnerability when communicating\n with one of the protocols POP3, SMTP or IMAP.\n\n When negotiating SASL DIGEST-MD5 authentication, the function\n `Curl_sasl_create_digest_md5_message()` uses the data provided from the\n server without doing the proper length checks and that data is then appended\n to a local fixed-size buffer on the stack.\n\n This vulnerability can be exploited by someone who is in control of a server\n that a libcurl based program is accessing with POP3, SMTP or IMAP. For\n applications that accept user provided URLs, it is also thinkable that a\n malicious user would feed an application with a URL to a server hosting code\n targeting this flaw.\n\n This vulnerability can be used for remote code execution (RCE) on vulnerable\n systems.\n\n Both curl the command line tool and applications using the libcurl library\n are vulnerable." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2011-3389", "aliases": [ "CVE-2011-3389" ], "summary": "SSL CBC IV vulnerability", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2011-3389.json", "www": "https://curl.se/docs/CVE-2011-3389.html", "CWE": { "id": "CWE-924", "desc": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel" }, "last_affected": "7.23.1", "severity": "High" }, "published": "2012-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.24.0"} ] } ], "versions": [ "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "product-security at Apple", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Yang Tse", "type": "OTHER" } ], "details": "curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for\nthe SSL/TLS layer.\n\nThis vulnerability has been identified (CVE-2011-3389 aka the \"BEAST\" attack)\nand is addressed by OpenSSL already as they have made a work-around to\nmitigate the problem. When doing so, they figured out that some servers did\nnot work with the work-around and offered a way to disable it.\n\nThe bit used to disable the workaround was then added to the generic\n`SSL_OP_ALL` bitmask that SSL clients may use to enable workarounds for better\ncompatibility with servers. libcurl uses the SSL_OP_ALL bitmask.\n\nWhile `SSL_OP_ALL` is documented to enable \"rather harmless\" workarounds, it\ndoes in this case effectively enable this security vulnerability again." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2012-0036", "aliases": [ "CVE-2012-0036" ], "summary": "URL sanitization vulnerability", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2012-0036.json", "www": "https://curl.se/docs/CVE-2012-0036.html", "CWE": { "id": "CWE-93", "desc": "Improper Neutralization of CRLF Sequences ('CRLF Injection')" }, "last_affected": "7.23.1", "severity": "High" }, "published": "2012-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.24.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ec3bb8f727405642a471b4b1b9eb0118fc003104"}, {"fixed": "75ca568fa1c19de4c5358fed246686de8467c238"} ] } ], "versions": [ "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Dan Fandrich", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl is vulnerable to a data injection attack for certain protocols through\ncontrol characters embedded or percent-encoded in URLs.\n\nWhen parsing URLs, libcurl's parser is liberal and only parses as little as\npossible and lets as much as possible through as long as it can figure out\nwhat to do.\n\nIn the specific process when libcurl extracts the file path part from a given\nURL, it did not always verify the data or escape control characters properly\nbefore it passed the file path on to the protocol-specific code that then\nwould use it for its protocol business.\n\nThis passing through of control characters could be exploited by someone who\nwould be able to pass in a handcrafted URL to libcurl. Lots of libcurl\nusing applications let users enter URLs in one form or another and not all\nof these check the input carefully to prevent malicious ones.\n\nA malicious user might pass in %0d%0a to get treated as CR LF by libcurl,\nand by using this fact a user can trick for example a POP3 client to delete\na message instead of getting it or trick an SMTP server to send an\nunintended message.\n\nThis vulnerability can be used to fool libcurl with the following protocols:\nIMAP, POP3 and SMTP.\n\nBoth curl the command line tool and applications using the libcurl library\nare vulnerable." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2011-2192", "aliases": [ "CVE-2011-2192" ], "summary": "inappropriate GSSAPI delegation", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2011-2192.json", "www": "https://curl.se/docs/CVE-2011-2192.html", "CWE": { "id": "CWE-281", "desc": "Improper Preservation of Permissions" }, "last_affected": "7.21.6", "severity": "Medium" }, "published": "2011-06-23T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.21.7"} ] } ], "versions": [ "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Richard Silverman", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Dan Fandrich", "type": "OTHER" }, { "name": "Julien Chaffraix", "type": "OTHER" } ], "details": "When doing GSSAPI authentication, libcurl unconditionally performs\ncredential delegation. This hands the server a copy of the client's security\ncredentials, allowing the server to impersonate the client to any other\nusing the same GSSAPI mechanism. This is obviously a very sensitive\noperation, which should only be done when the user explicitly so directs.\n\nThe GSS/Negotiate feature is only used by libcurl for HTTP authentication if\ntold to, and only if libcurl was built with a library that provides the\nGSSAPI. Many builds of libcurl do not have GSS enabled." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2010-3842", "aliases": [ "CVE-2010-3842" ], "summary": "local file overwrite", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2010-3842.json", "www": "https://curl.se/docs/CVE-2010-3842.html", "CWE": { "id": "CWE-30", "desc": "Path Traversal" }, "last_affected": "7.21.1", "severity": "High" }, "published": "2010-10-13T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.20.0"}, {"fixed": "7.21.2"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "80675818e0417be8c991513b328c5507e93b47e5"}, {"fixed": "81f151c912105ded480c3c88a1be53ca345298a1"} ] } ], "versions": [ "7.21.1", "7.21.0", "7.20.1", "7.20.0" ] } ], "credits": [ { "name": "Dan Fandrich", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl offers a command line option --remote-header-name (also usable as -J)\nwhich uses the filename of the Content-disposition: header when it saves the\ndownloaded data locally.\n\ncurl attempts to cut off the directory parts from any given filename in the\nheader to only store files in the current directory. It might overwrite a\nlocal file using the same name as the header specifies.\n\nThe stripping of the directory did not take backslashes into account. On\nsome operating systems, backslashes are used to separate directories and\nfilenames. This allows a rogue server to send back a response that\noverwrites a filename in the local machine that the user is allowed to\nwrite, potentially a system file, a command or a known executable.\n\nOperating systems affected include Windows, Netware, MSDOS, OS/2 and\nSymbian.\n\nThis error is only present in the curl command line tool, it is NOT a\nproblem of the library libcurl." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2010-0734", "aliases": [ "CVE-2010-0734" ], "summary": "data callback excessive length", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2010-0734.json", "www": "https://curl.se/docs/CVE-2010-0734.html", "CWE": { "id": "CWE-628", "desc": "Function Call with Incorrectly Specified Arguments" }, "last_affected": "7.19.7", "severity": "High" }, "published": "2010-02-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "7.20.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c95814c04d6a0436e5c4c88d2e1d57c7e0c91060"}, {"fixed": "06ae8ca5a6e452e5cb555c1a511a9df8dec6657c"} ] } ], "versions": [ "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "Wesley Miaw", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When downloading data, libcurl hands it over to the application using a\ncallback that is registered by the client software. libcurl then calls that\nfunction repeatedly with data until the transfer is complete. The callback is\ndocumented to receive a maximum data size of 16K (`CURL_MAX_WRITE_SIZE`).\n\nUsing the affected libcurl version to download compressed content over HTTP,\nan application can ask libcurl to automatically uncompress data. When doing\nso, libcurl can wrongly send data up to 64K in size to the callback which\nthus is much larger than the documented maximum size. An application that\nblindly trusts libcurl's max limit for a fixed buffer size or similar is\nthen a possible target for a buffer overflow vulnerability.\n\nThis error is only present in zlib-enabled builds of libcurl and only if\nautomatic decompression has been explicitly enabled by the application - it\nis disabled by default.\n\nWe have not found any libcurl client software that is vulnerable to this\nflaw - but we acknowledge that there may still be vulnerable software in\nexistence." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2009-2417", "aliases": [ "CVE-2009-2417" ], "summary": "embedded zero in cert name", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2009-2417.json", "www": "https://curl.se/docs/CVE-2009-2417.html", "CWE": { "id": "CWE-170", "desc": "Improper Null Termination" }, "last_affected": "7.19.5", "severity": "High" }, "published": "2009-08-12T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.4"}, {"fixed": "7.19.6"} ] } ], "versions": [ "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4" ] } ], "credits": [ { "name": "Scott Cantor", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Peter Sylvester", "type": "OTHER" }, { "name": "Michal Marek", "type": "OTHER" }, { "name": "Kamil Dudka", "type": "OTHER" } ], "details": "SSL and TLS Server certificates contain one or more fields with server name\nor otherwise matching patterns. These strings are stored as content and\nlength within the certificate, and thus there is no particular terminating\ncharacter.\n\ncurl's OpenSSL interfacing code did faulty assumptions about those names and\npatterns being zero terminated, allowing itself to be fooled in case a\ncertificate would get a zero byte embedded into one of the name fields. To\nillustrate, a name that would show this vulnerability could look like:\n\n \"example.com\\0.haxx.se\"\n\nThis cert is thus made for \"haxx.se\" but curl would erroneously verify it\nwith no complaints for \"example.com\".\n\nAccording to a recently published presentation, this kind of zero embedding\nhas been proven to be possible with at least one CA." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2009-0037", "aliases": [ "CVE-2009-0037" ], "summary": "Arbitrary File Access", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2009-0037.json", "www": "https://curl.se/docs/CVE-2009-0037.html", "CWE": { "id": "CWE-142", "desc": "Improper Neutralization of Value Delimiters" }, "last_affected": "7.19.3", "severity": "Medium" }, "published": "2009-03-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.11"}, {"fixed": "7.19.4"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "042cc1f69ec0878f542667cb684378869f859911"} ] } ], "versions": [ "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11" ] } ], "credits": [ { "name": "David Kierznowski", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When told to follow a \"redirect\" automatically, libcurl does not question the\nnew target URL but follows it to any new URL that it understands. As libcurl\nsupports FILE:// URLs, a rogue server can thus \"trick\" a libcurl-using\napplication to read a local file instead of the remote one.\n\nThis is a problem, for example, when the application is running on a server\nand is written to upload or to otherwise provide the transferred data to a\nuser, to another server or to another application etc, as it can be used to\nexpose local files it was not meant to.\n\nThe problem can also be exploited for uploading, if the rogue server\nredirects the client to a local file and thus it would (over)write a local\nfile instead of sending it to the server.\n\nlibcurl compiled to support SCP can get tricked to get a file using embedded\nsemicolons, which can lead to execution of commands on the given\nserver. `Location: scp://name:passwd@host/a;date >/tmp/test;`.\n\nFiles on servers other than the one running libcurl are also accessible when\ncredentials for those servers are stored in the .netrc file of the user\nrunning libcurl. This is most common for FTP servers, but can occur with\nany protocol supported by libcurl. Files on remote SSH servers are also\naccessible when the user has an unencrypted SSH key." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2007-3564", "aliases": [ "CVE-2007-3564" ], "summary": "GnuTLS insufficient cert verification", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2007-3564.json", "www": "https://curl.se/docs/CVE-2007-3564.html", "CWE": { "id": "CWE-298", "desc": "Improper Validation of Certificate Expiration" }, "last_affected": "7.16.3", "severity": "Low" }, "published": "2007-07-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.14.0"}, {"fixed": "7.16.4"} ] } ], "versions": [ "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0" ] } ], "credits": [ { "name": "Kees Cook", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl (when built to use GnuTLS) fails to verify that a peer's certificate\nhas not already expired or has not yet become valid. This allows malicious\nservers to present certificates to libcurl that were not rejected properly.\n\nNotably, the CA certificate and common name checks are still in place which\nreduces the risk for random servers to take advantage of this flaw." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2006-1061", "aliases": [ "CVE-2006-1061" ], "summary": "TFTP Packet Buffer Overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2006-1061.json", "www": "https://curl.se/docs/CVE-2006-1061.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.15.2", "severity": "High" }, "published": "2006-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.15.0"}, {"fixed": "7.15.3"} ] } ], "versions": [ "7.15.2", "7.15.1", "7.15.0" ] } ], "credits": [ { "name": "Ulf Harnhammar", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl uses the given file part of a TFTP URL in a manner that allows a\nmalicious user to overflow a heap-based memory buffer due to the lack of\nboundary check.\n\nThis overflow happens if you pass in a URL with a TFTP protocol prefix\n(\"tftp://\"), using a valid host and a path part that is longer than 512 bytes.\n\nThe affected flaw can be triggered by a redirect, if curl/libcurl is told to\nfollow redirects and an HTTP server points the client to a tftp URL with the\ncharacteristics described above." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2005-4077", "aliases": [ "CVE-2005-4077" ], "summary": "URL Buffer Overflow", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-4077.json", "www": "https://curl.se/docs/CVE-2005-4077.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.15.0", "severity": "High" }, "published": "2005-12-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.2"}, {"fixed": "7.15.1"} ] } ], "versions": [ "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2" ] } ], "credits": [ { "name": "Stefan Esser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Wilfried Weissmann", "type": "OTHER" } ], "details": "libcurl's URL parser function can overflow a heap based buffer in two ways, if\ngiven a too long URL.\n\nThese overflows happen if you\n\n 1 - pass in a URL with no protocol (like \"http://\") prefix, using no slash\n and the string is 256 bytes or longer. This leads to a single zero byte\n overflow of the heap buffer.\n\n 2 - pass in a URL with only a question mark as separator (no slash) between\n the host and the query part of the URL. This leads to a single zero byte\n overflow of the heap buffer.\n\nBoth overflows can be made with the same input string, leading to two single\nzero byte overwrites.\n\nThe affected flaw cannot be triggered by a redirect, but the long URL must be\npassed in \"directly\" to libcurl. It makes this a \"local\" problem. Of course,\nlots of programs may still pass in user-provided URLs to libcurl without doing\nmuch syntax checking of their own, allowing a user to exploit this\nvulnerability." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2005-3185", "aliases": [ "CVE-2005-3185" ], "summary": "NTLM Buffer Overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-3185.json", "www": "https://curl.se/docs/CVE-2005-3185.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.14.1", "severity": "High" }, "published": "2005-10-13T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.15.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "bdb5e5a25037a585e0ec6b83d29b25961c6823f8"}, {"fixed": "943aea62679fb9f2d6d7abe59b5edcba21490c52"} ] } ], "versions": [ "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "iDEFENSE", "type": "FINDER" } ], "details": "libcurl's NTLM function can overflow a stack-based buffer if given a too long\nusername or domain name. This would happen if you enable NTLM authentication\nand either:\n\n A - pass in a username and domain name to libcurl that together are longer\n than 192 bytes\n\n B - allow (lib)curl to follow HTTP \"redirects\" (Location: and the appropriate\n HTTP 30x response code) and the new URL contains a URL with a username\n and domain name that together are longer than 192 bytes" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2005-0490", "aliases": [ "CVE-2005-0490" ], "summary": "Authentication Buffer Overflows", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-0490.json", "www": "https://curl.se/docs/CVE-2005-0490.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.13.0", "severity": "High" }, "published": "2005-02-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.3"}, {"fixed": "7.13.1"} ] } ], "versions": [ "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3" ] } ], "credits": [ { "name": "unknown", "type": "FINDER" } ], "details": "Due to bad usage of the base64 decode function to a stack-based buffer without\nchecking the data length, it was possible for a malicious HTTP server to\noverflow the client during NTLM negotiation and for an FTP server to overflow\nthe client during krb4 negotiation. The\n[announcement](http://www.idefense.com/application/poi/display?id=202) of this\nflaw was done without contacting us." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2003-1605", "aliases": [ "CVE-2003-1605" ], "summary": "Proxy Authentication Header Information Leakage", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2003-1605.json", "www": "https://curl.se/docs/CVE-2003-1605.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.10.6", "severity": "High" }, "published": "2003-08-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.5"}, {"fixed": "7.10.7"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "5c2df3e1a4da7b17ae053ee8c4ecef5eb2d30464"} ] } ], "versions": [ "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5" ] } ], "credits": [ { "name": "unknown", "type": "FINDER" } ], "details": "When curl connected to a site via an HTTP proxy with the CONNECT request, the\nuser and password used for the proxy connection was also sent off to the\nremote server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2000-0973", "aliases": [ "CVE-2000-0973" ], "summary": "FTP Server Response Buffer Overflow", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2000-0973.json", "www": "https://curl.se/docs/CVE-2000-0973.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.4", "severity": "Critical" }, "published": "2000-10-13T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.4.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "751d503f54596d6d86f969683fec2fe296d9d1f0"} ] } ], "versions": [ "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "zillion", "type": "FINDER" } ], "details": "When storing an FTP server's error message on failure, there was no check for\ninput length and thus a malicious FTP server could overflow curl's stack based\nbuffer." } ]