6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.044 Low
EPSS
Percentile
92.3%
The cURL project reports in a security advisory:
Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.
An application that blindly trusts libcurl’s max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.