Ubuntu.comUB:CVE-2017-1000100CVE-2017-1000100
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
72.8%
When doing a TFTP transfer and curl/libcurl is given a URL that contains a
very long file name (longer than about 515 bytes), the file name is
truncated to fit within the buffer boundaries, but the buffer size is still
wrongly updated to use the untruncated length. This too large value is then
used in the sendto() call, making curl attempt to send more data than what
is actually put into the buffer. The endto() function will then read beyond
the end of the heap based buffer. A malicious HTTP(S) server could redirect
a vulnerable libcurl-using client to a crafted TFTP URL (if the client
hasnβt restricted which protocols it allows redirects to) and trick it to
send private memory contents to a remote server over UDP. Limit curlβs
redirect protocols with --proto-redir and libcurlβs with
CURLOPT_REDIR_PROTOCOLS.
Bugs
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
72.8%