Curl Security Vulnerabilities and Issues — Curl CVE List

Lucene search

HaxxCurl

8 matches found

CVE•added 2011/09/06 7:55 p.m.•608 views

CVE-2011-3389

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP...

4.3CVSS6.5AI score0.05563EPSS

CVE•added 2020/12/14 8:15 p.m.•349 views

CVE-2020-8284

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service bann...

4.3CVSS6AI score0.00067EPSS

CVE•added 2019/05/28 7:29 p.m.•313 views

CVE-2019-5435

An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.

4.3CVSS5.8AI score0.00177EPSS

CVE•added 2022/07/07 1:15 p.m.•236 views

CVE-2022-32205

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl

4.3CVSS6.2AI score0.00189EPSS

CVE•added 2022/06/02 2:15 p.m.•186 views

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the ...

4.3CVSS5.4AI score0.00045EPSS

CVE•added 2014/02/02 12:55 a.m.•136 views

CVE-2014-0015

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

4CVSS6.2AI score0.02575EPSS

CVE•added 2013/11/23 11:55 a.m.•72 views

CVE-2013-4545

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an ar...

4.3CVSS6.9AI score0.00666EPSS

CVE•added 2014/04/18 10:14 p.m.•59 views

CVE-2014-2522

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP ...

4CVSS6AI score0.00245EPSS