Lucene search

K
freebsdFreeBSD765FEB7D-A0D1-11E6-A881-B499BAEBFEAF
HistoryNov 02, 2016 - 12:00 a.m.

cURL -- multiple vulnerabilities

2016-11-0200:00:00
vuxml.freebsd.org
12

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

85.6%

The cURL project reports

cookie injection for other servers
case insensitive password comparison
OOB write via unchecked multiplication
double-free in curl_maprintf
double-free in krb5 code
glob parser write/read out of bounds
curl_getdate read out of bounds
URL unescape heap overflow via integer truncation
Use-after-free via shared cookies
invalid URL parsing with ‘#’
IDNA 2003 makes curl use wrong host

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchcurl= 7.1UNKNOWN
FreeBSDanynoarchcurl< 7.51.0UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

85.6%