Curl Security Vulnerabilities and Issues — Curl CVE List

Lucene search

HaxxCurl

9 matches found

CVE•added 2021/09/29 8:15 p.m.•443 views

CVE-2021-22947

When curl >= 7.20.0 and

5.9CVSS7AI score0.00118EPSS

CVE•added 2021/08/05 9:15 p.m.•408 views

CVE-2021-22925

curl supports the -t command line option, known as CURLOPT_TELNETOPTIONSin libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending NEW_ENV variables, libcurlcould be made to pass on uninitialized data from a stack based b...

5.3CVSS6.3AI score0.00406EPSS

CVE•added 2021/06/11 4:15 p.m.•365 views

CVE-2021-22898

curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uni...

3.1CVSS5.3AI score0.00113EPSS

CVE•added 2021/09/29 8:15 p.m.•365 views

CVE-2021-22946

A user can tell curl >= 7.20.0 and

7.5CVSS7.6AI score0.00059EPSS

CVE•added 2021/08/05 9:15 p.m.•299 views

CVE-2021-22922

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and thecli...

6.5CVSS6.6AI score0.0021EPSS

CVE•added 2021/08/05 9:15 p.m.•295 views

CVE-2021-22923

When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrar...

5.3CVSS6.1AI score0.00086EPSS

CVE•added 2021/08/05 9:15 p.m.•256 views

CVE-2021-22926

libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the CURLOPT_SSLCERT option (--cert with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certifica...

7.5CVSS7.2AI score0.00767EPSS

CVE•added 2021/06/11 4:15 p.m.•220 views

CVE-2021-22901

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. Wh...

8.1CVSS8.2AI score0.00272EPSS

CVE•added 2021/06/11 4:15 p.m.•165 views

CVE-2021-22897

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising...

5.3CVSS5.5AI score0.00761EPSS