Advisory ROSA-SA-2021-1818

Software: curl 7.29.0
OS: Cobalt 7.9

CVE-ID: CVE-2013-4545
CVE-Crit: CRITICAL
CVE-DESC: cURL and libcurl from 7.18.0 through 7.32.0 when built with OpenSSL disables validation of CN and SAN certificate name fields (CURLOPT_SSL_VERIFYHOST) when digital signature validation (CURLOPT_SSL_VERIFYPEER) is disabled, allowing mid-level attackers to spoof SSL servers using an arbitrary valid certificate.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2014-0139
CVE-Crit: CRITICAL
CVE-DESC: cURL and libcurl 7.1 through 7.36.0, when using the OpenSSL, axtls, qsossl, or gskit libraries for TLS, recognize a wildcard IP address in the Common Name (CN) field of a subject X.509 certificate, which may allow man-in-the-middle attackers to spoof arbitrary SSL servers using a crafted certificate issued by a legitimate certificate authority.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2014-3620
CVE-Crit: MEDIUM
CVE-DESC: cURL and libcurl before 7.38.0 allow remote attackers to bypass the single source policy and set cookies for arbitrary sites by setting cookies for the top-level domain.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2015-3153
CVE-Crit: MEDIUM
CVE-DESC: The default configuration for cURL and libcurl before 7.42.1 sends customized HTTP headers to both the proxy server and the destination server, which may allow remote proxies to obtain sensitive information by reading the header content.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2016-0755
CVE-Crit: HIGH
CVE-DESC: The ConnectionExists function in lib / url.c in libcurl before version 7.47.0 incorrectly reuses NTLM-authenticated proxy connections, which could allow remote attackers to authenticate as other users using a request similar to CVE. -2014-0015.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-3739
CVE-Crit: MEDIUM
CVE-DESC: (1) the mbed_connect_step1 function in lib / vtls / mbedtls.c and (2) the polarssl_connect_step1 function in lib / vtls / polarssl.c in cURL and libcurl before 7.49.0 when using SSLv3 or creating a TLS connection to a URL that uses a numeric IP address allows remote attackers to spoof servers using an arbitrary valid certificate.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2016-4802
CVE-Crit: HIGH
CVE-DESC: Multiple unreliable search path vulnerabilities in cURL and libcurl prior to 7.49.1, when built using SSPI or telnet, allow local users to execute arbitrary code and DLL hijacking attacks via Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8615
CVE-Crit: HIGH
CVE-DESC: a bug was discovered in curl before version 7.51. If cookie state is written to a cookie jar file that is later read and used for subsequent requests, a malicious HTTP server may inject new cookies for arbitrary domains into the specified cookie.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2016-8617
CVE-Crit: HIGH
CVE-DESC: the base64 encoding function in curl prior to version 7.51.0 tends to not allocate a buffer on 32-bit systems if it receives at least 1 GB as input via CURLOPT_USERNAME.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8618
CVE-Crit: CRITICAL
CVE-DESC: The libcurl API function called curl_maprintf () before version 7.51.0 can be tricked into performing a double release due to unsafe size_t multiplication on systems using 32-bit size_t variables.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8621
CVE-Crit: HIGH
CVE-DESC: The curl_getdate function in curl prior to version 7.51.0 is vulnerable to out-of-bounds reads if it receives input with a short digit.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-9586
CVE-Crit: HIGH
CVE-DESC: curl prior to version 7.52.0 is vulnerable to buffer overflow when executing large floating point output in libcurl’s implementation of printf () functions. If there is any application that accepts a format string externally without the necessary input filtering, it may allow remote attacks.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8616
CVE-Crit: MEDIUM
CVE-DESC: A bug was discovered in curl prior to version 7.51.0. When reusing a connection, curl performed case-insensitive username and password comparisons to existing connections. This means that if there is an unused connection with correct credentials for a protocol that has credentials in the connection scope, an attacker can reuse that connection if they know the case-insensitive version of the correct password.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8619
CVE-Crit: CRITICAL
CVE-DESC: The read_data () function in security.c in curl before version 7.51.0 is vulnerable to double memory freeing.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8620
CVE-Crit: CRITICAL
CVE-DESC: The ‘globbing’ function in curl prior to version 7.51.0 has a flaw that results in integer overflow and reading outside bounds via user-driven input.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8623
CVE-Crit: HIGH
CVE-DESC: a bug was discovered in curl before version 7.51.0. The way curl handles cookies allows other threads to trigger post-release usage leading to information disclosure.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8625
CVE-Crit: HIGH
CVE-DESC: curl prior to version 7.51.0 uses the deprecated IDNA 2003 standard for handling international domain names, and this could cause users to potentially and unknowingly send network transfer requests to the wrong host.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2016-9594
CVE-Crit: HIGH
CVE-DESC: curl before 7.52.1 is vulnerable to an uninitialized random number in an internal libcurl function that returns a good 32-bit random value. The presence of a weak or nearly nonexistent random value makes operations that use it vulnerable.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-8624
CVE-Crit: HIGH
CVE-DESC: curl prior to version 7.51.0 does not analyze the URL authority component correctly when part of the hostname ends with a ‘#’ character, and can instead be tricked into connecting to a different host. This could have security implications if you, for example, use a URL parser that follows the RFC to check for authorized domains before using curl to query them.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-2629
CVE-Crit: MEDIUM
CVE-DESC: curl before 7.53.0 has an incorrect TLS certificate status request extension feature that asks for a new proof of validity of the server certificate in the code that verifies the success or failure of the test. It always ends up thinking there is a valid proof, even if there is not or if the server does not support the TLS extension in question. This can lead to users not detecting when the server certificate becomes invalid, or otherwise being misled into thinking that the server is in better shape than it actually is. This flaw also exists in the command-line tool (–cert-status).
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-8816
CVE-Crit: CRITICAL
CVE-DESC: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer and resultant buffer overflow and application crash) or possibly have unspecified other impact via vectors that include long user and password fields.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-8817
CVE-Crit: CRITICAL
CVE-DESC: The FTP wildcard feature in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (read out of range and application crash) or possibly have an unspecified other impact via a string that ends with a ’ [’ character.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-9502
CVE-Crit: MEDIUM
CVE-DESC: in curl before 7.54.1 on Windows and DOS, the libcurl default protocol feature, which is logic that allows an application to set which protocol libcurl should attempt to use when fetching a URL without the schema part, had the drawback of potentially overwriting the heap-based memory buffer with seven bytes. If the default protocol is specified as FILE or file: URL without the two slashes, the given “URL” starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl will copy the path by 7 bytes, so that the end of the given path will write outside the malloc buffer (7 bytes is the length in bytes of the ascii string “file: //”).
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-8284
CVE-Crit: LOW
CVE-DESC: A malicious server could use the FTP PASV response to trick curl 7.73.0 or earlier to connect back to a given IP address and port, and thus potentially force curl to extract information about services that are otherwise private and not disclosed, such as port scanning and service banner extraction.
CVE-STATUS: default
CVE-REV: default