206 matches found
double free in curl_maprintf
The libcurl API function called curlmaprintf can be tricked into doing a double free due to an unsafe sizet multiplication, on systems using 32-bit sizet variables. The function is also used internally in numerous situations. The function doubles an allocated memory area with realloc and allows t...
double free in krb5 code
In curl's implementation of the Kerberos authentication mechanism, the function readdata in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc is not set to 0. This would...
IDNA 2003 makes curl use wrong host
When curl is built with libidn to handle International Domain Names IDNA, it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard. This misalignment causes problems with for example domains using the German ß...
URL unescape heap overflow via integer truncation
The URL percent-encoding decode function in libcurl is called curleasyunescape. Internally, even if this function would be made to allocate a destination buffer larger than 2GB, it would return that new length in a signed 32-bit integer variable, thus the length would get either truncated only or...
glob parser write/read out of bounds
The curl tool's "globbing" feature allows a user to specify a numerical range through which curl iterates. It is typically specified as 1-5, specifying the first and the last numbers in the range. Or with a-z, using letters. 1. The curl code for parsing the second unsigned number did not check fo...
Use after free via shared cookies
libcurl explicitly allows users to share cookies between multiple easy handles that are concurrently employed by different threads. When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That...
invalid URL parsing with '#'
curl does not parse the authority component of the URL correctly when the host name part ends with a hash character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed...
OOB write via unchecked multiplication
In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc insize 4 / 3 + 4 On systems with 32-bit addresses in userspace e.g. x86, ARM, x32, the multiplication in the expression wraps around if insize is at least 1GB of data. If this...
cookie injection for other servers
If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file...
case insensitive password comparison
When reusing a connection, curl was doing case insensitive comparisons of username and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be...
curl_getdate read out of bounds
The curlgetdate converts a given date string into a numerical timestamp and it supports a range of different formats and possibilities to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies possibly received from remote serve...
curl escape and unescape integer overflows
The four libcurl functions curlescape, curleasyescape, curlunescape and curleasyunescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The functions having names without "easy" being the deprecated versions of the others...
Incorrect reuse of client certificates
libcurl built on top of NSS Network Security Services incorrectly reused client certificates if a certificate from file was used for one TLS connection but no certificate set for a subsequent TLS connection. While the symptoms are similar to CVE-2016-5420 Reusing connection with wrong client cert...
Reusing connections with wrong client cert
libcurl did not consider client certificates when reusing TLS connections. libcurl supports reuse of established connections for subsequent requests. It does this by keeping a few previous connections "alive" in a connection pool so that a subsequent request that can use one of them instead of...
use of connection struct after free
libcurl is vulnerable to a use after free flaw. libcurl works with easy handles using the type 'CURL ' that are objects the application creates using curleasyinit. They are the handles that are all each associated with a single transfer at a time. libcurl also has an internal struct that represen...
TLS session resumption client cert bypass
libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate or no...
Windows DLL hijacking
libcurl would load Windows system DLLs in a manner that may make it vulnerable to a DLL hijacking aka binary planting attack in certain configurations. libcurl has a unified code base that builds and runs on a multitude of different versions of Windows. To make that possible, when libcurl is buil...
TLS certificate check bypass with mbedTLS/PolarSSL
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3. This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend. The documentation for mbedTLS and PolarSSL wrongly says that...
NTLM credentials not-checked for proxy connection reuse
libcurl reuses NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. libcurl maintains a pool of connections after a transfer has completed. The pool of connections is then gone through when a ne...
remote filename path traversal in curl tool for Windows
curl does not sanitize colons in a remote filename that is used as the local filename. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows is the only OS where this vulnerability applies. curl offers command line options --remote-name also...
lingering HTTP credentials in connection reuse
libcurl can wrongly send HTTP credentials when reusing connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPTUSERPWD for example. Name and password. Like all other libcurl options the credentials are sticky and are...
SMB send off unrelated memory contents
libcurl can get tricked by a malicious SMB server to send off data it did not intend to. In libcurl's state machine function handling the SMB protocol smbrequeststate, two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to...
sensitive HTTP server headers also sent to proxies
libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPTHTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option. When the connection passes through an HTTP proxy the same set of headers is sent to the prox...
cookie parser out of boundary memory access
libcurl supports HTTP "cookies" as documented in RFC 6265. Together with each individual cookie there are several different properties, but for this vulnerability we focus on the associated "path" element. It tells information about for which path on a given host the cookie is valid. The internal...
Negotiate not treated as connection-oriented
libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient and completely transparent connection reuse for applications. When doing HTTP requests Negotiate authenticated, the entire connection may become authenticated and not only the specific HTTP request...
hostname out of boundary memory access
There is a private function in libcurl called fixhostname that removes a trailing dot from the hostname if there is one. The function is called after the hostname has been extracted from the URL libcurl has been told to act on. If a URL is given with a zero-length hostname, like in "http://:80" o...
Reusing authenticated connection when unauthenticated
libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient and completely transparent connection reuse for applications. When doing HTTP requests NTLM authenticated, the entire connection becomes authenticated and not only the specific HTTP request which is...
URL request injection
When libcurl sends a request to a server via an HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those are sent along to the proxy too, which allows the program to for example send a separate HTTP request injected...
Secure Transport certificate check bypass
libcurl stores TLS Session IDs in its associated Session ID cache when it connects to TLS servers. In subsequent connects it reuses the entry in the cache to resume the TLS connection faster than when doing a full TLS handshake. The actual implementation for the Session ID caching varies dependin...
duphandle read out of bounds
libcurl's function curleasyduphandle has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending. When doing an HTTP POST transfer with libcurl, you can use the CURLOPTCOPYPOSTFIELDS option to specify a memory area holding the data to send to the...
cookie leak for TLDs
libcurl wrongly allows cookies to be set for Top Level Domains TLDs, thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain...
cookie leak with IP address as domain
By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application...
not verifying certs for TLS to IP address / Secure Transport
When asked to do a TLS connection HTTPS, FTPS, IMAPS, etc to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature whether it was signed by a trusted CA and validity whether the date was within the certificate's...
IP address wildcard certificate validation
libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses. RFC 2818 covers the requirements for matching Common Names CNs and subjectAltNames in order to establish valid SSL connections. It first discusses CNs that are for hostnames, and the rules for wildcards in th...
wrong reuse of connections
libcurl can in some circumstances reuse the wrong connection when asked to do transfers using other protocols than HTTP and FTP. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...
not verifying certs for TLS to IP address / Schannel
When asked to do a TLS connection HTTPS, FTPS, IMAPS, etc to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature whether it was signed by a trusted CA and validity whether the date was within the certificate's...
reuse of wrong HTTP NTLM connection
libcurl can in some circumstances reuse the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion...
cert name check ignore with GnuTLS
This issue is almost identical to the one named CVE-2013-4545, but this problem affects a different SSL backend. libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off. libcurl offers two separate a...
cert name check ignore OpenSSL
libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off. libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPTSSLVERIFYPEER and CURLOPTSSLVERIFYHOST. T...
URL decode buffer boundary flaw
libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curleasyunescape decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded strin...
cookie domain tailmatch
libcurl is vulnerable to a cookie leak vulnerability when doing requests across domains with matching tails. When communicating over HTTPS and having libcurl's cookie engine enabled, libcurl stores and holds cookies for use when subsequent requests are done to hosts and paths that match those kep...
SASL buffer overflow
libcurl is vulnerable to a buffer overflow vulnerability when communicating with one of the protocols POP3, SMTP or IMAP. When negotiating SASL DIGEST-MD5 authentication, the function Curlsaslcreatedigestmd5message uses the data provided from the server without doing the proper length checks and...
URL sanitization vulnerability
curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs. When parsing URLs, libcurl's parser is liberal and only parses as little as possible and lets as much as possible through as long as it can figure out what to do. In...
SSL CBC IV vulnerability
curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. This vulnerability has been identified CVE-2011-3389 aka the "BEAST" attack and is addressed by OpenSSL already as they have made a workaround to mitigate the problem. When doing so, they figured out...
inappropriate GSSAPI delegation
When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a sensitive operation, which...
local file overwrite
curl offers a command line option --remote-header-name also usable as -J which uses the filename of the Content-disposition: header when it saves the downloaded data locally. curl attempts to cut off the directory parts from any given filename in the header to only store files in the current...
data callback excessive length
When downloading data, libcurl hands it over to the application using a callback that is registered by the client software. libcurl then calls that function repeatedly with data until the transfer is complete. The callback is documented to receive a maximum data size of 16K CURLMAXWRITESIZE. Usin...
embedded zero in cert name
SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character. curl's OpenSSL interfacing code did faulty assumptions about...
Arbitrary File Access
When told to follow a "redirect" automatically, libcurl does not question the new target URL but follows it to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one. This is a...
GnuTLS insufficient cert verification
libcurl when built to use GnuTLS fails to verify that a peer's certificate has not already expired or has not yet become valid. This allows malicious servers to present certificates to libcurl that were not rejected properly. Notably, the CA certificate and common name checks are still in place...