Lucene search
K

206 matches found

curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•6 views

double free in curl_maprintf

The libcurl API function called curlmaprintf can be tricked into doing a double free due to an unsafe sizet multiplication, on systems using 32-bit sizet variables. The function is also used internally in numerous situations. The function doubles an allocated memory area with realloc and allows t...

9.8CVSS7.1AI score0.04574EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•6 views

double free in krb5 code

In curl's implementation of the Kerberos authentication mechanism, the function readdata in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc is not set to 0. This would...

9.8CVSS7.1AI score0.04989EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•6 views

IDNA 2003 makes curl use wrong host

When curl is built with libidn to handle International Domain Names IDNA, it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard. This misalignment causes problems with for example domains using the German ß...

7.5CVSS7.2AI score0.04321EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•5 views

URL unescape heap overflow via integer truncation

The URL percent-encoding decode function in libcurl is called curleasyunescape. Internally, even if this function would be made to allocate a destination buffer larger than 2GB, it would return that new length in a signed 32-bit integer variable, thus the length would get either truncated only or...

9.8CVSS7AI score0.0467EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•6 views

glob parser write/read out of bounds

The curl tool's "globbing" feature allows a user to specify a numerical range through which curl iterates. It is typically specified as 1-5, specifying the first and the last numbers in the range. Or with a-z, using letters. 1. The curl code for parsing the second unsigned number did not check fo...

9.8CVSS7.7AI score0.04413EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•8 views

Use after free via shared cookies

libcurl explicitly allows users to share cookies between multiple easy handles that are concurrently employed by different threads. When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That...

7.5CVSS6.8AI score0.02602EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•5 views

invalid URL parsing with '#'

curl does not parse the authority component of the URL correctly when the host name part ends with a hash character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed...

7.5CVSS7.3AI score0.05915EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•4 views

OOB write via unchecked multiplication

In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc insize 4 / 3 + 4 On systems with 32-bit addresses in userspace e.g. x86, ARM, x32, the multiplication in the expression wraps around if insize is at least 1GB of data. If this...

7CVSS7AI score0.00593EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•6 views

cookie injection for other servers

If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file...

7.5CVSS7.4AI score0.04498EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•4 views

case insensitive password comparison

When reusing a connection, curl was doing case insensitive comparisons of username and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be...

5.9CVSS6.8AI score0.03472EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/11/02 8:0 a.m.•5 views

curl_getdate read out of bounds

The curlgetdate converts a given date string into a numerical timestamp and it supports a range of different formats and possibilities to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies possibly received from remote serve...

7.5CVSS7.3AI score0.04927EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/09/14 8:0 a.m.•10 views

curl escape and unescape integer overflows

The four libcurl functions curlescape, curleasyescape, curlunescape and curleasyunescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. The functions having names without "easy" being the deprecated versions of the others...

9.8CVSS6.8AI score0.11737EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/09/07 8:0 a.m.•6 views

Incorrect reuse of client certificates

libcurl built on top of NSS Network Security Services incorrectly reused client certificates if a certificate from file was used for one TLS connection but no certificate set for a subsequent TLS connection. While the symptoms are similar to CVE-2016-5420 Reusing connection with wrong client cert...

7.5CVSS6.5AI score0.08404EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/08/03 8:0 a.m.•26 views

Reusing connections with wrong client cert

libcurl did not consider client certificates when reusing TLS connections. libcurl supports reuse of established connections for subsequent requests. It does this by keeping a few previous connections "alive" in a connection pool so that a subsequent request that can use one of them instead of...

7.5CVSS6.5AI score0.14596EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/08/03 8:0 a.m.•7 views

use of connection struct after free

libcurl is vulnerable to a use after free flaw. libcurl works with easy handles using the type 'CURL ' that are objects the application creates using curleasyinit. They are the handles that are all each associated with a single transfer at a time. libcurl also has an internal struct that represen...

8.1CVSS7.5AI score0.08037EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/08/03 8:0 a.m.•8 views

TLS session resumption client cert bypass

libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate or no...

7.5CVSS6.4AI score0.15063EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/05/30 8:0 a.m.•11 views

Windows DLL hijacking

libcurl would load Windows system DLLs in a manner that may make it vulnerable to a DLL hijacking aka binary planting attack in certain configurations. libcurl has a unified code base that builds and runs on a multitude of different versions of Windows. To make that possible, when libcurl is buil...

7.8CVSS7.6AI score0.00565EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/05/18 8:0 a.m.•32 views

TLS certificate check bypass with mbedTLS/PolarSSL

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3. This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend. The documentation for mbedTLS and PolarSSL wrongly says that...

5.3CVSS6.1AI score0.06377EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/01/27 8:0 a.m.•8 views

NTLM credentials not-checked for proxy connection reuse

libcurl reuses NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. libcurl maintains a pool of connections after a transfer has completed. The pool of connections is then gone through when a ne...

7.3CVSS7.4AI score0.09327EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2016/01/27 8:0 a.m.•4 views

remote filename path traversal in curl tool for Windows

curl does not sanitize colons in a remote filename that is used as the local filename. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows is the only OS where this vulnerability applies. curl offers command line options --remote-name also...

5.3CVSS6AI score0.01119EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/06/17 8:0 a.m.•10 views

lingering HTTP credentials in connection reuse

libcurl can wrongly send HTTP credentials when reusing connections. libcurl allows applications to set credentials for the upcoming transfer with HTTP Basic authentication, like with CURLOPTUSERPWD for example. Name and password. Like all other libcurl options the credentials are sticky and are...

5CVSS8AI score0.0821EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/06/17 8:0 a.m.•6 views

SMB send off unrelated memory contents

libcurl can get tricked by a malicious SMB server to send off data it did not intend to. In libcurl's state machine function handling the SMB protocol smbrequeststate, two length and offset values are extracted from data that has arrived over the network, and those values are subsequently used to...

6.4CVSS8.2AI score0.09334EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/04/29 8:0 a.m.•11 views

sensitive HTTP server headers also sent to proxies

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPTHTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option. When the connection passes through an HTTP proxy the same set of headers is sent to the prox...

5CVSS7.2AI score0.07538EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/04/22 8:0 a.m.•5 views

cookie parser out of boundary memory access

libcurl supports HTTP "cookies" as documented in RFC 6265. Together with each individual cookie there are several different properties, but for this vulnerability we focus on the associated "path" element. It tells information about for which path on a given host the cookie is valid. The internal...

7.5CVSS8AI score0.3763EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/04/22 8:0 a.m.•6 views

Negotiate not treated as connection-oriented

libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient and completely transparent connection reuse for applications. When doing HTTP requests Negotiate authenticated, the entire connection may become authenticated and not only the specific HTTP request...

5CVSS7.4AI score0.17942EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/04/22 8:0 a.m.•8 views

hostname out of boundary memory access

There is a private function in libcurl called fixhostname that removes a trailing dot from the hostname if there is one. The function is called after the hostname has been extracted from the URL libcurl has been told to act on. If a URL is given with a zero-length hostname, like in "http://:80" o...

9CVSS7.7AI score0.11027EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/04/22 8:0 a.m.•7 views

Reusing authenticated connection when unauthenticated

libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient and completely transparent connection reuse for applications. When doing HTTP requests NTLM authenticated, the entire connection becomes authenticated and not only the specific HTTP request which is...

5CVSS7.5AI score0.16222EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/01/08 8:0 a.m.•46 views

URL request injection

When libcurl sends a request to a server via an HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those are sent along to the proxy too, which allows the program to for example send a separate HTTP request injected...

4.3CVSS7.4AI score0.0681EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2015/01/08 8:0 a.m.•6 views

Secure Transport certificate check bypass

libcurl stores TLS Session IDs in its associated Session ID cache when it connects to TLS servers. In subsequent connects it reuses the entry in the cache to resume the TLS connection faster than when doing a full TLS handshake. The actual implementation for the Session ID caching varies dependin...

5.8CVSS7.1AI score0.01148EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/11/05 8:0 a.m.•7 views

duphandle read out of bounds

libcurl's function curleasyduphandle has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending. When doing an HTTP POST transfer with libcurl, you can use the CURLOPTCOPYPOSTFIELDS option to specify a memory area holding the data to send to the...

4.3CVSS7.3AI score0.05121EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/09/10 8:0 a.m.•6 views

cookie leak for TLDs

libcurl wrongly allows cookies to be set for Top Level Domains TLDs, thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain...

5CVSS6.7AI score0.04876EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/09/10 8:0 a.m.•6 views

cookie leak with IP address as domain

By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application...

5CVSS7.3AI score0.07432EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/03/26 8:0 a.m.•8 views

not verifying certs for TLS to IP address / Secure Transport

When asked to do a TLS connection HTTPS, FTPS, IMAPS, etc to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature whether it was signed by a trusted CA and validity whether the date was within the certificate's...

4.3CVSS6.4AI score0.02862EPSS
Exploits2Affected Software2
curl security advisories
curl security advisories
•added 2014/03/26 8:0 a.m.•31 views

IP address wildcard certificate validation

libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses. RFC 2818 covers the requirements for matching Common Names CNs and subjectAltNames in order to establish valid SSL connections. It first discusses CNs that are for hostnames, and the rules for wildcards in th...

5.8CVSS6.2AI score0.04888EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/03/26 8:0 a.m.•6 views

wrong reuse of connections

libcurl can in some circumstances reuse the wrong connection when asked to do transfers using other protocols than HTTP and FTP. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...

6.4CVSS6.9AI score0.0508EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2014/03/26 8:0 a.m.•5 views

not verifying certs for TLS to IP address / Schannel

When asked to do a TLS connection HTTPS, FTPS, IMAPS, etc to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature whether it was signed by a trusted CA and validity whether the date was within the certificate's...

4CVSS5.5AI score0.02576EPSS
Exploits1Affected Software2
curl security advisories
curl security advisories
•added 2014/01/29 8:0 a.m.•7 views

reuse of wrong HTTP NTLM connection

libcurl can in some circumstances reuse the wrong connection when asked to do an NTLM-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion...

4CVSS6.9AI score0.05599EPSS
Exploits1Affected Software2
curl security advisories
curl security advisories
•added 2013/12/17 8:0 a.m.•6 views

cert name check ignore with GnuTLS

This issue is almost identical to the one named CVE-2013-4545, but this problem affects a different SSL backend. libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off. libcurl offers two separate a...

4CVSS5.5AI score0.02761EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2013/11/15 8:0 a.m.•7 views

cert name check ignore OpenSSL

libcurl is vulnerable to a case of missing out the checking of the certificate CN or SAN name field when the digital signature verification is turned off. libcurl offers two separate and independent options for verifying a server's TLS certificate. CURLOPTSSLVERIFYPEER and CURLOPTSSLVERIFYHOST. T...

4.3CVSS6AI score0.03076EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2013/06/22 8:0 a.m.•6 views

URL decode buffer boundary flaw

libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curleasyunescape decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded strin...

6.8CVSS6.9AI score0.11118EPSS
Exploits2Affected Software2
curl security advisories
curl security advisories
•added 2013/04/12 8:0 a.m.•6 views

cookie domain tailmatch

libcurl is vulnerable to a cookie leak vulnerability when doing requests across domains with matching tails. When communicating over HTTPS and having libcurl's cookie engine enabled, libcurl stores and holds cookies for use when subsequent requests are done to hosts and paths that match those kep...

5CVSS7.3AI score0.04986EPSS
Exploits1Affected Software2
curl security advisories
curl security advisories
•added 2013/02/06 8:0 a.m.•8 views

SASL buffer overflow

libcurl is vulnerable to a buffer overflow vulnerability when communicating with one of the protocols POP3, SMTP or IMAP. When negotiating SASL DIGEST-MD5 authentication, the function Curlsaslcreatedigestmd5message uses the data provided from the server without doing the proper length checks and...

7.5CVSS8.6AI score0.22913EPSS
Exploits6Affected Software2
curl security advisories
curl security advisories
•added 2012/01/24 8:0 a.m.•6 views

URL sanitization vulnerability

curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs. When parsing URLs, libcurl's parser is liberal and only parses as little as possible and lets as much as possible through as long as it can figure out what to do. In...

7.5CVSS7.1AI score0.16723EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2012/01/24 8:0 a.m.•9 views

SSL CBC IV vulnerability

curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer. This vulnerability has been identified CVE-2011-3389 aka the "BEAST" attack and is addressed by OpenSSL already as they have made a workaround to mitigate the problem. When doing so, they figured out...

4.3CVSS6.8AI score0.73327EPSS
Exploits4Affected Software2
curl security advisories
curl security advisories
•added 2011/06/23 8:0 a.m.•6 views

inappropriate GSSAPI delegation

When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a sensitive operation, which...

4.3CVSS7.8AI score0.02994EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2010/10/13 8:0 a.m.•6 views

local file overwrite

curl offers a command line option --remote-header-name also usable as -J which uses the filename of the Content-disposition: header when it saves the downloaded data locally. curl attempts to cut off the directory parts from any given filename in the header to only store files in the current...

5.8CVSS5.3AI score0.017EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2010/02/09 8:0 a.m.•5 views

data callback excessive length

When downloading data, libcurl hands it over to the application using a callback that is registered by the client software. libcurl then calls that function repeatedly with data until the transfer is complete. The callback is documented to receive a maximum data size of 16K CURLMAXWRITESIZE. Usin...

6.8CVSS7.5AI score0.04408EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2009/08/12 8:0 a.m.•7 views

embedded zero in cert name

SSL and TLS Server certificates contain one or more fields with server name or otherwise matching patterns. These strings are stored as content and length within the certificate, and thus there is no particular terminating character. curl's OpenSSL interfacing code did faulty assumptions about...

7.5CVSS5.5AI score0.03602EPSS
Exploits0Affected Software2
curl security advisories
curl security advisories
•added 2009/03/03 8:0 a.m.•6 views

Arbitrary File Access

When told to follow a "redirect" automatically, libcurl does not question the new target URL but follows it to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one. This is a...

6.8CVSS7.2AI score0.07812EPSS
Exploits2Affected Software2
curl security advisories
curl security advisories
•added 2007/07/10 8:0 a.m.•6 views

GnuTLS insufficient cert verification

libcurl when built to use GnuTLS fails to verify that a peer's certificate has not already expired or has not yet become valid. This allows malicious servers to present certificates to libcurl that were not rejected properly. Notably, the CA certificate and common name checks are still in place...

7.5CVSS5.2AI score0.02297EPSS
Exploits0Affected Software2
Total number of security vulnerabilities206