Lucene search

K
freebsdFreeBSD714B033A-2B09-11E9-8BC3-610FD6E6CD05
HistoryFeb 07, 2019 - 12:00 a.m.

curl -- multiple vulnerabilities

2019-02-0700:00:00
vuxml.freebsd.org
17

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.171 Low

EPSS

Percentile

96.0%

curl security problems:

CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
libcurl contains a heap buffer out-of-bounds read flaw.
The function handling incoming NTLM type-2 messages
(lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming
data correctly and is subject to an integer overflow vulnerability.
Using that overflow, a malicious or broken NTLM server could trick
libcurl to accept a bad length + offset combination that would lead to a
buffer read out-of-bounds.
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
libcurl contains a stack based buffer overflow vulnerability.
The function creating an outgoing NTLM type-3 header
(lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the
request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed is
implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening.
This output data can grow larger than the local buffer if very large
“nt response” data is extracted from a previous NTLMv2 header provided
by the malicious or broken HTTP server.
Such a “large value” needs to be around 1000 bytes or more. The actual
payload data copied to the target buffer comes from the NTLMv2 type-2
response header.
CVE-2019-3823: SMTP end-of-response out-of-bounds read
libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.
If the buffer passed to smtp_endofresp() isn’t NUL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer. The read
contents will not be returned to the caller.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchcurl< 7.64.0UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.171 Low

EPSS

Percentile

96.0%

Related for 714B033A-2B09-11E9-8BC3-610FD6E6CD05