188 matches found
eventfd double close
libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve...
cookie injection with none file
This flaw allows an attacker to intentionally inject cookies into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a...
siglongjmp race condition
libcurl provides several different backends for resolving hostnames, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doing this, libcurl used a global buffer that was not mutex protected a...
FTP too eager connection reuse
libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a different one, thus leading to doing the second transfer with the wrong credentials. libcurl keeps previously used connections in a connection pool for...
TELNET option IAC injection
curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on username and "telnet options" for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on username and telnet options ...
HSTS ignored on multiple requests
curl's HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent...
HTTP proxy double free
If curl is told to use an HTTP proxy for a transfer with a non-HTTPS URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of protocol through. An HTTP proxy might refuse this request HTTP proxies often only allow outgoing...
control code in cookie denial of service
When curl retrieves and parses cookies from an HTTPS server, it accepts cookies using control codes byte values below 32. When cookies that contain such control codes are later sent back to an HTTPS server, it might make the server return a 400 response. Effectively allowing a "sister site" to de...
Non-preserved file permissions
When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target filename. In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated...
HSTS bypass via trailing dot
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL used ...
TLS and SSH connection too eager reuse
libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and...
CERTINFO never-ending busy-loop
libcurl provides the CURLOPTCERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that...
OAUTH2 bearer bypass in connection reuse
libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMTPS, IMAPS, POP3S and LDAPS OpenLDAP only. libcurl maintains a pool of live connection...
CURLOPT_SSLCERT mix-up with Secure Transport
libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPTSSLCERT option --cert with the command line tool. When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certifica...
Bad connection reuse due to flawed path name checks
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take 'issuer cert' into account and it compared the involved paths case insensitively, which could...
Metalink download sends credentials
When curl is instructed to get content using the Metalink feature, and a user name and password are used to download the Metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl downloads or tries to download the contents from. Often contrar...
TELNET stack contents disclosure
curl supports the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack bas...
FTP-KRB double free
libcurl can be told to use kerberos over FTP to a server, as set with the CURLOPTKRBLEVEL option. During such kerberos FTP data transfer, the server sends data to curl in blocks with the 32-bit size of each block first and then that amount of data immediately following. A malicious or broken serv...
TFTP small blocksize heap buffer overflow
libcurl contains a heap buffer overflow in the function tftpreceivepacket that receives data from a TFTP server. It can call recvfrom with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is controlled b...
TFTP receive buffer overflow
libcurl contains a heap buffer overflow in the function tftpreceivepacket that receives data from a TFTP server. It calls recvfrom with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely...
SMTP end-of-response out-of-bounds read
libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtpendofresp is not null-terminated and contains no character ending the parsed number, and len is set to 5, then the strtol call reads beyond the allocated buffer. The read...
NTLM type-2 out-of-bounds buffer read
libcurl contains a heap buffer out-of-bounds read flaw. The function handling incoming NTLM type-2 messages lib/vauth/ntlm.c:ntlmdecodetype2target does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server...
NTLMv2 type-3 header stack buffer overflow
libcurl contains a stack based buffer overflow vulnerability. The function creating an outgoing NTLM type-3 header lib/vauth/ntlm.c:Curlauthcreatentlmtype3message, generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from...
use after free in handle close
libcurl contains a heap use after free flaw in code related to closing an easy handle. When closing and cleaning up an "easy" handle in the Curlclose function, the library code first frees a struct without clearing the pointer and might then subsequently erroneously write to a struct field within...
SASL password overflow via integer overflow
libcurl contains a buffer overrun in the SASL authentication code. The internal function Curlauthcreateplainmessage fails to correctly verify that the passed in lengths for name and password are not too long, then calculates a buffer size to allocate. On systems with a 32-bit sizet, the math to...
FTP shutdown response buffer overflow
curl might overflow a heap based memory buffer when closing down an FTP connection with long server command replies. When doing FTP transfers, curl keeps a spare "closure handle" around internally that is used when an FTP connection gets shut down since the original curl easy handle is then alrea...
HTTP/2 trailer out-of-bounds read
libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once...
IMAP FETCH response out of bounds read
libcurl contains a buffer overrun flaw in the IMAP handler. An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that non-existing data with a pointer and the size zero to the deliver-data...
TFTP sends more than buffer size
When doing a TFTP transfer and curl/libcurl is given a URL that contains a long filename longer than about 515 bytes, the filename is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the original length. This too large value is then used in the...
FILE buffer read out of bounds
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user stdout or the application's provide callback, which could lead to other private data from the heap to...
uninitialized random
libcurl's new internal function that returns a good 32-bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary...
Win CE Schannel cert name out of buffer read
curl's TLS server certificate checks are flawed on Windows CE. This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name as returned by the Windows API function CertGetNameString to the hostname used to make the connection to the server. The pattern...
TLS session resumption client cert bypass
libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate or no...
use of connection struct after free
libcurl is vulnerable to a use after free flaw. libcurl works with easy handles using the type 'CURL ' that are objects the application creates using curleasyinit. They are the handles that are all each associated with a single transfer at a time. libcurl also has an internal struct that represen...
cookie leak for TLDs
libcurl wrongly allows cookies to be set for Top Level Domains TLDs, thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain...
not verifying certs for TLS to IP address / Secure Transport
When asked to do a TLS connection HTTPS, FTPS, IMAPS, etc to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature whether it was signed by a trusted CA and validity whether the date was within the certificate's...
wrong reuse of connections
libcurl can in some circumstances reuse the wrong connection when asked to do transfers using other protocols than HTTP and FTP. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...
reuse of wrong HTTP NTLM connection
libcurl can in some circumstances reuse the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion...
cert name check ignore with GnuTLS
This issue is almost identical to the one named CVE-2013-4545, but this problem affects a different SSL backend. libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off. libcurl offers two separate a...
URL decode buffer boundary flaw
libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curleasyunescape decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded strin...
local file overwrite
curl offers a command line option --remote-header-name also usable as -J which uses the filename of the Content-disposition: header when it saves the downloaded data locally. curl attempts to cut off the directory parts from any given filename in the header to only store files in the current...
embedded zero in cert name
SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character. curl's OpenSSL interfacing code did faulty assumptions about...
GnuTLS insufficient cert verification
libcurl when built to use GnuTLS fails to verify that a peer's certificate has not already expired or has not yet become valid. This allows malicious servers to present certificates to libcurl that were not rejected properly. Notably, the CA certificate and common name checks are still in place...
URL Buffer Overflow
libcurl's URL parser function can overflow a heap based buffer in two ways, if given a too long URL. These overflows happen if you 1 - pass in a URL with no protocol like "http://" prefix, using no slash and the string is 256 bytes or longer. This leads to a single zero byte overflow of the heap...
predictable WebSocket mask
curl's WebSocket code did not update the 32-bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...
QUIC certificate check bypass with wolfSSL
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems...
HTTP multi-header compression denial of service
curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a...
HTTP Proxy deny use after free
curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can and often do deny such tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struc...
percent-encoded path separator in URL host
The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the hostname part of a URL, making it a different URL using the wrong hostname when it is later retrieved. For example, a URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get...
curl removes wrong file on error
curl might remove the wrong file when --no-clobber is used together with --remove-on-error. The --remove-on-error option tells curl to remove the output file when it returns an error, and not leave a partial file behind. The --no-clobber option prevents curl from overwriting a file if it already...