Curl 7.84.0 <= 8.4.0 Information Disclosure (CVE-2023-46219)

The version of Curl installed on the remote host is between 7.84.0 and 8.4.0. It is, therefore, affected by an information disclosure vulnerability. When saving HSTS data to an excessively long file name, Curl could end up removing all contents, making subsequent requests using that file unaware ...

CVE-2023-46219

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use...

CVE-2022-32208 affecting package curl for versions less than 7.84.0-1

CVE-2022-32208 affecting package curl for versions less than 7.84.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32206 affecting package curl for versions less than 7.84.0-1

CVE-2022-32206 affecting package curl for versions less than 7.84.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32207 affecting package curl for versions less than 7.84.0-1

CVE-2022-32207 affecting package curl for versions less than 7.84.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32205 affecting package curl for versions less than 7.84.0-1

CVE-2022-32205 affecting package curl for versions less than 7.84.0-1. An upgraded version of the package is available that resolves this issue...

AZL-10103 CVE-2022-32207 affecting package curl for versions less than 7.84.0-1

When curl 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the...

CVE-2022-32208

When curl 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client...

Vulnerabilities fixed in cURL

Vulnerabilities have been fixed in cURL. A malicious person at remote can exploit the vulnerabilities to cause a denial-of-service, or to gain access to sensitive data by performing a man-in-the-middle attack. Project CURL has released updates to address the vulnerabilities fixes in cURL 7.84.0...

CVE-2022-32205

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl 7.84.0 stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger th...

PT-2022-21151

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.84.0 Description A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl. This can cause subsequent HTTP requests to become larger than the internal threshold of 1048576 bytes,...

PT-2022-5561

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.84.0 Description The issue concerns the support for "chained" HTTP compression algorithms in curl, where a server response can be compressed multiple times with different algorithms. A malicious server can exploit this...