30 matches found
curl: IDNA 2003 makes curl use wrong host
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host...
Unauthorized Requests
libcurl.so is vulnerable to unauthorized requests. The library uses outdated IDNA standards when handling domain names, allowing a user to transfer network requests to the wrong host...
UBUNTU-CVE-2016-8625
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host...
DEBIAN-CVE-2016-8625
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host...
ALPINE-CVE-2016-8624
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC t...
CVE-2017-5660
There is a vulnerability in Apache Traffic Server ATS 6.2.0 and prior and 7.0.0 and prior with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used...
Internet Bug Bounty: Urllib connects to a wrong host
Description ----- The inconsistent of URL parsing and URL fetching are distinct Original bug report ----- - https://bugs.python.org/issue30500 - http://python-security.readthedocs.io/vuln/bpo-30500urllibconnectstoawronghost.html Note ----- - None Thanks : Impact SSRF...
CVE-2017-14063
Async Http Client aka async-http-client before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL CVE-2016-8624 and Oracle Java 8 java.net.URL...
invalid URL parsing with '#'
curl does not parse the authority component of the URL correctly when the host name part ends with a hash character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed...
IDNA 2003 makes curl use wrong host
When curl is built with libidn to handle International Domain Names IDNA, it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard. This misalignment causes problems with for example domains using the German ß...