Libcurl Security Vulnerabilities and Issues — Libcurl CVE List

Lucene search

HaxxLibcurl

9 matches found

CVE•added 2015/04/24 2:59 p.m.•129 views

CVE-2015-3143

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

5CVSS7.3AI score0.02575EPSS

CVE•added 2015/01/15 3:59 p.m.•125 views

CVE-2014-8150

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

4.3CVSS8.7AI score0.0215EPSS

CVE•added 2015/04/24 2:59 p.m.•124 views

CVE-2015-3148

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

5CVSS9.1AI score0.01442EPSS

CVE•added 2015/05/01 3:59 p.m.•112 views

CVE-2015-3153

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

5CVSS8.2AI score0.06181EPSS

CVE•added 2015/04/24 2:59 p.m.•103 views

CVE-2015-3145

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote cha...

7.5CVSS9.4AI score0.65095EPSS

CVE•added 2015/06/22 7:59 p.m.•97 views

CVE-2015-3237

The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.

6.4CVSS8.1AI score0.02783EPSS

CVE•added 2015/04/24 2:59 p.m.•96 views

CVE-2015-3144

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "htt...

9CVSS9.3AI score0.02429EPSS

CVE•added 2015/06/22 7:59 p.m.•67 views

CVE-2015-3236

cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.

5CVSS9.1AI score0.04499EPSS

CVE•added 2015/01/15 3:59 p.m.•54 views

CVE-2014-8151

The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to...

5.8CVSS6.2AI score0.00424EPSS