Lucene search
K

206 matches found

curl security advisories
curl security advisories
•added 2024/07/24 8:0 a.m.•9 views

freeing stack buffer in utf8asn1str

libcurl's ASN1 parser has this utf8asn1str function used for parsing an ASN.1 UTF-8 string. It can detect an invalid field and return error. Unfortunately, when doing so it also invokes free on a 4 byte local stack buffer. Most modern malloc implementations detect this error and immediately abort...

7.5CVSS7.8AI score0.04296EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/03/27 8:0 a.m.•7 views

TLS certificate check bypass with mbedTLS

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate...

6.5CVSS6.8AI score0.01299EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/03/27 8:0 a.m.•7 views

HTTP/2 push headers memory-leak

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit 1000, libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead lea...

8.6CVSS6.6AI score0.36081EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/03/27 8:0 a.m.•6 views

QUIC certificate check bypass with wolfSSL

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems...

6.3CVSS6.6AI score0.01709EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/03/27 8:0 a.m.•7 views

Usage of disabled protocol

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been...

3.5CVSS6.3AI score0.01681EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2024/01/31 8:0 a.m.•7 views

OCSP verification bypass with TLS session reuse

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status OCSP stapling test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check...

5.3CVSS6.3AI score0.01102EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/12/06 8:0 a.m.•7 views

HSTS long filename clears contents

When saving HSTS data to an excessively long filename, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use...

5.3CVSS6.5AI score0.01133EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/12/06 8:0 a.m.•6 views

cookie mixed case PSL bypass

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...

6.5CVSS6.5AI score0.01685EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/10/11 8:0 a.m.•8 views

cookie injection with none file

This flaw allows an attacker to intentionally inject cookies into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a...

3.7CVSS6.9AI score0.06208EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2023/10/11 8:0 a.m.•9 views

SOCKS5 heap buffer overflow

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname ...

9.8CVSS7.4AI score0.78483EPSS
Exploits6References1Affected Software2
curl security advisories
curl security advisories
•added 2023/09/13 8:0 a.m.•7 views

HTTP headers eat all memory

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of...

7.5CVSS6.4AI score0.62246EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/05/17 8:0 a.m.•7 views

UAF in SSH sha256 fingerprint check

libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the now freed hash. This flaw risks inserting sensitive heap-based data into the error message...

7.5CVSS6.8AI score0.02489EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/05/17 8:0 a.m.•13 views

IDN wildcard match

curl supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN International Domain...

5.9CVSS6.4AI score0.0181EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/05/17 8:0 a.m.•8 views

more POST-after-PUT confusion

When doing HTTPS transfers, libcurl might erroneously use the read callback CURLOPTREADFUNCTION to ask for data to send, even when the CURLOPTPOSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the...

5.3CVSS6.2AI score0.02211EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/05/17 8:0 a.m.•7 views

siglongjmp race condition

libcurl provides several different backends for resolving hostnames, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doing this, libcurl used a global buffer that was not mutex protected a...

5.9CVSS6.5AI score0.02658EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•7 views

HSTS double free

libcurl supports sharing HSTS data between separate "handles". This sharing was introduced without considerations for doing this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS...

5.9CVSS6.3AI score0.01856EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•6 views

GSS delegation too eager connection reuse

libcurl would reuse a previously created connection even when the GSS delegation CURLOPTGSSAPIDELEGATION option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if...

5.9CVSS6.7AI score0.01566EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•7 views

FTP too eager connection reuse

libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a different one, thus leading to doing the second transfer with the wrong credentials. libcurl keeps previously used connections in a connection pool for...

5.9CVSS6.6AI score0.01607EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•7 views

SFTP path ~ resolving discrepancy

curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC...

8.8CVSS6.5AI score0.02195EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•6 views

TELNET option IAC injection

curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on username and "telnet options" for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on username and telnet options ...

9.8CVSS6.4AI score0.01993EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/03/20 8:0 a.m.•9 views

SSH connection too eager reuse still

libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were...

7.7CVSS6.6AI score0.01162EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/02/15 8:0 a.m.•8 views

HTTP multi-header compression denial of service

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a...

6.5CVSS6.6AI score0.01703EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2023/02/15 8:0 a.m.•8 views

HSTS amnesia with --parallel

curl's HSTS cache saving behaves wrongly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when...

6.5CVSS6.8AI score0.00861EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2023/02/15 8:0 a.m.•6 views

HSTS ignored on multiple requests

curl's HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent...

9.1CVSS7.1AI score0.00858EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/12/21 8:0 a.m.•6 views

HTTP Proxy deny use after free

curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can and often do deny such tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struc...

5.9CVSS6.5AI score0.02511EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/12/21 8:0 a.m.•7 views

Another HSTS bypass via IDN

curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. The HSTS mechanism could be bypassed if the hostname in the given URL first uses...

7.5CVSS6.6AI score0.1654EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/10/26 8:0 a.m.•35 views

HSTS bypass via IDN

curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL uses...

7.5CVSS7.1AI score0.01644EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2022/10/26 8:0 a.m.•6 views

HTTP proxy double free

If curl is told to use an HTTP proxy for a transfer with a non-HTTPS URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of protocol through. An HTTP proxy might refuse this request HTTP proxies often only allow outgoing...

8.1CVSS7.2AI score0.02927EPSS
Exploits0References1Affected Software2
curl security advisories
curl security advisories
•added 2022/10/26 8:0 a.m.•5 views

POST following PUT confusion

When doing HTTPS transfers, libcurl might erroneously use the read callback CURLOPTREADFUNCTION to ask for data to send, even when the CURLOPTPOSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the...

9.8CVSS6.7AI score0.04325EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/10/26 8:0 a.m.•8 views

.netrc parser out-of-bounds access

curl can be told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, write a zero byte possibly beyond its boundary. This does in most cases caus...

6.5CVSS7.3AI score0.01761EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/08/31 8:0 a.m.•6 views

control code in cookie denial of service

When curl retrieves and parses cookies from an HTTPS server, it accepts cookies using control codes byte values below 32. When cookies that contain such control codes are later sent back to an HTTPS server, it might make the server return a 400 response. Effectively allowing a "sister site" to de...

3.7CVSS6.3AI score0.01788EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/06/27 8:0 a.m.•6 views

Non-preserved file permissions

When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target filename. In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated...

9.8CVSS7.1AI score0.05481EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/06/27 8:0 a.m.•6 views

HTTP compression denial of service

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited...

6.5CVSS7.1AI score0.3197EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/06/27 8:0 a.m.•7 views

Set-Cookie denial of service

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of big cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the...

4.3CVSS6.8AI score0.26915EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/06/27 8:0 a.m.•8 views

FTP-KRB bad message verification

When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client...

5.9CVSS7.1AI score0.05595EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/05/11 8:0 a.m.•6 views

curl removes wrong file on error

curl might remove the wrong file when --no-clobber is used together with --remove-on-error. The --remove-on-error option tells curl to remove the output file when it returns an error, and not leave a partial file behind. The --no-clobber option prevents curl from overwriting a file if it already...

8.1CVSS6.2AI score0.03453EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/05/11 8:0 a.m.•7 views

HSTS bypass via trailing dot

curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the hostname in the given URL used ...

4.3CVSS6.4AI score0.01118EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/05/11 8:0 a.m.•5 views

TLS and SSH connection too eager reuse

libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and...

7.5CVSS6.6AI score0.02596EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/05/11 8:0 a.m.•7 views

CERTINFO never-ending busy-loop

libcurl provides the CURLOPTCERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that...

7.5CVSS7.1AI score0.02434EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/05/11 8:0 a.m.•8 views

cookie for trailing dot TLD

libcurl wrongly allows HTTP cookies to be set for Top Level Domains TLDs if the hostname is provided with a trailing dot. curl can be told to receive and send cookies when communicating using HTTPS. curl's "cookie engine" can be built with or without Public Suffix List awareness. If PSL support n...

5.3CVSS6.5AI score0.02414EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/05/11 8:0 a.m.•5 views

percent-encoded path separator in URL host

The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the hostname part of a URL, making it a different URL using the wrong hostname when it is later retrieved. For example, a URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get...

7.5CVSS6.7AI score0.02187EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/04/27 8:0 a.m.•5 views

Auth/cookie leak on redirect

curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hos...

6.5CVSS6.5AI score0.03425EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/04/27 8:0 a.m.•6 views

Bad local IPv6 connection reuse

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse, if one of them matches the setup. Due to errors in the logic, the config matching function did not take the IPv6 address zone id into account which could lead to libcurl reusing the wrong connection...

7.5CVSS6.4AI score0.02794EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/04/27 8:0 a.m.•70 views

Credential leak on redirect

curl follows HTTPS redirects when asked to. curl also supports authentication. When a user and password are provided for a URL with a given hostname, curl makes an effort to not pass on those credentials to other hosts in redirects unless given permission with a special option. This "same host...

5.7CVSS6.1AI score0.01595EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2022/04/27 8:0 a.m.•6 views

OAUTH2 bearer bypass in connection reuse

libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMTPS, IMAPS, POP3S and LDAPS OpenLDAP only. libcurl maintains a pool of live connection...

8.1CVSS6.4AI score0.01914EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/09/15 8:0 a.m.•11 views

Protocol downgrade required TLS bypassed

A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server --ssl-reqd on the command line or CURLOPTUSESSL set to CURLUSESSLCONTROL or CURLUSESSLALL with libcurl. This requirement could be bypassed if the server would return a properly crafted but...

7.5CVSS6.5AI score0.04224EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/09/15 8:0 a.m.•7 views

STARTTLS protocol injection via MITM

When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then...

5.9CVSS6.7AI score0.02799EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/09/15 8:0 a.m.•11 views

UAF and double free in MQTT sending

When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it again...

9.1CVSS6.2AI score0.06216EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/07/21 8:0 a.m.•9 views

CURLOPT_SSLCERT mix-up with Secure Transport

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPTSSLCERT option --cert with the command line tool. When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certifica...

7.5CVSS6.2AI score0.0982EPSS
Exploits1References1Affected Software2
curl security advisories
curl security advisories
•added 2021/07/21 8:0 a.m.•10 views

TELNET stack contents disclosure again

curl supports the -t command line option, known as CURLOPTTELNETOPTIONS in libcurl. This rarely used option is used to send variable=content pairs to TELNET servers. Due to flaw in the option parser for sending NEWENV variables, libcurl could be made to pass on uninitialized data from a stack bas...

5.3CVSS6.5AI score0.04929EPSS
Exploits1References1Affected Software2
Total number of security vulnerabilities206