FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-01 20:12:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
11e36890-d28c-11ec-a06f-d4c9ef517024curl -- Multiple vulnerabilities

The curl project reports:

CVE-2022-27778: curl removes wrong file on error

CVE-2022-27779: cookie for trailing dot TLD

CVE-2022-27780: percent-encoded path separator in URL host

CVE-2022-27781: CERTINFO never-ending busy-loop

CVE-2022-27782: TLS and SSH connection too eager reuse

CVE-2022-30115: HSTS bypass via trailing dot


Discovery 2022-05-11
Entry 2022-05-13
curl
< 7.83.1

CVE-2022-27778
CVE-2022-27779
CVE-2022-27780
CVE-2022-27781
CVE-2022-27782
CVE-2022-30115
https://curl.se/docs/security.html
b018121b-7a4b-11e6-bf52-b499baebfeafcURL -- Escape and unescape integer overflows

The cURL project reports

The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments.

The provided string length arguments were not properly checked and due to arithmetic in the functions, passing in the length 0xffffffff (2^32-1 or UINT_MAX or even just -1) would end up causing an allocation of zero bytes of heap memory that curl would attempt to write gigabytes of data into.


Discovery 2016-09-14
Entry 2016-09-14
curl
ge 7.11.1 lt 7.50.3

https://curl.haxx.se/docs/adv_20160914.html
CVE-2016-7167
caa98ffd-0a92-40d0-b234-fd79b429157ecURL -- URL request injection vulnerability

cURL reports:

When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL. Many programs allow some kind of external sources to set the URL or provide partial pieces for the URL to ask for, and if the URL as received from the user is not stripped good enough this flaw allows malicious users to do additional requests in a way that was not intended, or just to insert request headers into the request that the program didn't intend. We are not aware of any exploit of this flaw.


Discovery 2014-12-25
Entry 2015-01-09
curl
< 7.40.0

CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
765feb7d-a0d1-11e6-a881-b499baebfeafcURL -- multiple vulnerabilities

The cURL project reports

  • cookie injection for other servers
  • case insensitive password comparison
  • OOB write via unchecked multiplication
  • double-free in curl_maprintf
  • double-free in krb5 code
  • glob parser write/read out of bounds
  • curl_getdate read out of bounds
  • URL unescape heap overflow via integer truncation
  • Use-after-free via shared cookies
  • invalid URL parsing with '#'
  • IDNA 2003 makes curl use wrong host

Discovery 2016-11-02
Entry 2016-11-02
curl
ge 7.1 lt 7.51.0

https://curl.haxx.se/docs/security.html
CVE-2016-8615
CVE-2016-8616
CVE-2016-8617
CVE-2016-8618
CVE-2016-8619
CVE-2016-8620
CVE-2016-8621
CVE-2016-8622
CVE-2016-8623
CVE-2016-8624
CVE-2016-8625
5d433534-f41c-402e-ade5-e0a2259a7cb6curl -- cURL/libcURL Location: Redirect URLs Security Bypass

Secunia reports:

The security issue is caused due to cURL following HTTP Location: redirects to e.g. scp:// or file:// URLs which can be exploited by a malicious HTTP server to overwrite or disclose the content of arbitrary local files and potentially execute arbitrary commands via specially crafted redirect URLs.


Discovery 2009-03-03
Entry 2009-03-04
curl
ge 5.11 lt 7.19.4

CVE-2009-0037
http://secunia.com/advisories/34138/
714b033a-2b09-11e9-8bc3-610fd6e6cd05curl -- multiple vulnerabilities

curl security problems:

CVE-2018-16890: NTLM type-2 out-of-bounds buffer read

libcurl contains a heap buffer out-of-bounds read flaw.

The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability.

Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow

libcurl contains a stack based buffer overflow vulnerability.

The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening.

This output data can grow larger than the local buffer if very large "nt response" data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server.

Such a "large value" needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

CVE-2019-3823: SMTP end-of-response out-of-bounds read

libcurl contains a heap out-of-bounds read in the code handling the end-of-response for SMTP.

If the buffer passed to smtp_endofresp() isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller.


Discovery 2019-02-07
Entry 2019-02-07
curl
< 7.64.0

https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-16890.html
https://curl.haxx.se/docs/CVE-2019-3822.html
https://curl.haxx.se/docs/CVE-2019-3823.html
CVE-2018-16890
CVE-2019-3822
CVE-2019-3823
aa646c01-ea0d-11eb-9b84-d4c9ef517024cURL -- Multiple vulnerabilities

The cURL project reports:

CURLOPT_SSLCERT mixup with Secure Transport (CVE-2021-22926)

TELNET stack contents disclosure again (CVE-2021-22925)

Bad connection reuse due to flawed path name checks (CVE-2021-92254)

Metalink download sends credentials (CVE-2021-92253)

Wrong content via metalink not discarded (CVE-2021-92252)


Discovery 2021-07-21
Entry 2021-07-21
curl
< 7.78.0

CVE-2021-22922
CVE-2021-22923
CVE-2021-22924
CVE-2021-22925
CVE-2021-22926
https://curl.se/docs/vuln-7.77.0.html
b1194286-958e-11eb-9c34-080027f515eacurl -- Automatic referer leaks credentials

Daniel Stenberg reports:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".


Discovery 2021-03-31
Entry 2021-04-10
curl
ge 7.1.1 lt 7.76.0

CVE-2021-22876
https://curl.se/docs/CVE-2021-22876.html
9aecb94c-c1ad-11e3-a5ac-001b21614864cURL -- inappropriate GSSAPI delegation

cURL reports:

When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism.


Discovery 2011-06-23
Entry 2014-04-11
Modified 2014-04-30
curl
ge 7.10.6 le 7.21.6

linux-f10-curl
ge 7.10.6 le 7.21.6

CVE-2011-2192
http://curl.haxx.se/docs/adv_20110623.html
92a4d881-c6cf-11ec-a06f-d4c9ef517024cURL -- Multiple vulnerabilities

The cURL project reports:

  • OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
  • Credential leak on redirect (CVE-2022-27774)
  • Bad local IPv6 connection reuse (CVE-2022-27775)
  • Auth/cookie leak on redirect (CVE-2022-27776)

Discovery 2022-04-27
Entry 2022-04-28
curl
< 7.83.0

CVE-2022-22576
CVE-2022-27774
CVE-2022-27775
CVE-2022-27776
https://curl.se/docs/vuln-7.82.0.html
0f99a30c-7b4b-11ed-9168-080027f5fec9curl -- multiple vulnerabilities

Daniel Stenberg reports:

CVE-2022-32221: POST following PUT confusion
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-35260: .netrc parser out-of-bounds access
curl can be told to parse a .netrc file for credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl could read past the end of the stack-based buffer, and if the read works, write a zero byte possibly beyond its boundary. This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.
CVE-2022-42915: HTTP proxy double-free
f curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, telnet
CVE-2022-42916: HSTS bypass via IDN
curl's HSTS check could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Like this: http://curl。se。

Discovery 2022-10-26
Entry 2022-12-14
curl
< 7.86.0

CVE-2022-32221
CVE-2022-35260
CVE-2022-42915
CVE-2022-42916
https://curl.se/docs/CVE-2022-32221.html
https://curl.se/docs/CVE-2022-35260.html
https://curl.se/docs/CVE-2022-42915.html
https://curl.se/docs/CVE-2022-42916.html
8b27f1bc-c509-11e5-a95f-b499baebfeafcurl -- Credentials not checked

The cURL project reports:

libcurl will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer.


Discovery 2016-01-27
Entry 2016-01-27
Modified 2017-02-06
curl
ge 7.10.0 lt 7.47.0

http://curl.haxx.se/docs/adv_20160127A.html
CVE-2016-0755
01cf67b3-dc3b-11e2-a6cd-c48508086173cURL library -- heap corruption in curl_easy_unescape

cURL developers report:

libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption.

The function curl_easy_unescape() decodes URL-encoded strings to raw binary data. URL-encoded octets are represented with %HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller.

The function takes a source string and a length parameter, and if the length provided is 0 the function will instead use strlen() to figure out how much data to parse.

The "%HH" parser wrongly only considered the case where a zero byte would terminate the input. If a length-limited buffer was passed in which ended with a '%' character which was followed by two hexadecimal digits outside of the buffer libcurl was allowed to parse alas without a terminating zero, libcurl would still parse that sequence as well. The counter for remaining data to handle would then be decreased too much and wrap to become a very large integer and the copying would go on too long and the destination buffer that is allocated on the heap would get overwritten.

We consider it unlikely that programs allow user-provided strings unfiltered into this function. Also, only the not zero-terminated input string use case is affected by this flaw. Exploiting this flaw for gain is probably possible for specific circumstances but we consider the general risk for this to be low.

The curl command line tool is not affected by this problem as it doesn't use this function.

There are no known exploits available at this time.


Discovery 2013-06-22
Entry 2013-06-23
Modified 2013-07-01
curl
ge 7.7 lt 7.24.0_4

CVE-2013-2174
http://curl.haxx.se/docs/adv_20130622.html
be233fc6-bae7-11ed-a4fb-080027f5fec9curl -- multiple vulnerabilities

Harry Sintonen and Patrick Monnerat report:

CVE-2023-23914
A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on.
CVE-2023-23915
A cleartext transmission of sensitive information vulnerability exists in curl < v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl < v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Discovery 2023-02-15
Entry 2023-03-05
curl
< 7.88.0

CVE-2023-23914
CVE-2023-23915
CVE-2023-23916
https://curl.se/docs/security.html
3c77f139-3a09-11eb-929d-d4c9ef517024cURL -- Multiple vulnerabilities

The cURL project reports:

Trusting FTP PASV responses (CVE-2020-8284)

FTP wildcard stack overflow (CVE-2020-8285)

Inferior OCSP verification (CVE-2020-8286)


Discovery 2020-12-09
Entry 2020-12-09
curl
gt 4.0 lt 7.74.0

https://curl.se/docs/security.html
CVE-2020-8284
CVE-2020-8285
CVE-2020-8286
f4d638b9-e6e5-4dbe-8c70-571dbc116174curl -- password overflow vulnerability

curl security problems:

CVE-2018-14618: NTLM password overflow via integer overflow

The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap.

The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow.

This bug is almost identical to CVE-2017-8816.


Discovery 2018-09-05
Entry 2018-09-05
Modified 2019-08-03
curl
ge 7.15.4 lt 7.61.1

linux-c7-curl
< 7.29.0_6

https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-14618.html
CVE-2018-14618
e0ab1773-07c1-46c6-9170-4c5e81c00927curl -- multiple vulnerabilities

curl security problems:

CVE-2018-16839: SASL password overflow via integer overflow

libcurl contains a buffer overrun in the SASL authentication code.

The internal function Curl_auth_create_plain_message fails to correctly verify that the passed in lengths for name and password aren't too long, then calculates a buffer size to allocate.

On systems with a 32 bit size_t, the math to calculate the buffer size triggers an integer overflow when the user name length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow.

This bug is very similar to CVE-2017-14618.

It affects curl 7.33.0 to 7.61.1.

CVE-2018-16840: use-after-free in handle close

libcurl contains a heap use-after-free flaw in code related to closing an easy handle.

When closing and cleaning up an "easy" handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

It affects curl 7.59.0 to 7.61.1.

CVE-2018-16842: warning message out-of-buffer read

curl contains a heap out of buffer read vulnerability.

The command line tool has a generic function for displaying warning and informational messages to stderr for various situations. For example if an unknown command line argument is used, or passed to it in a "config" file.

This display function formats the output to wrap at 80 columns. The wrap logic is however flawed, so if a single word in the message is itself longer than 80 bytes the buffer arithmetic calculates the remainder wrong and will end up reading behind the end of the buffer. This could lead to information disclosure or crash.

This vulnerability could lead to a security issue if used in this or similar situations:

1. a server somewhere uses the curl command line to run something

2. if it fails, it shows stderr to the user

3. the server takes user input for parts of its command line input

4. user provides something overly long that triggers this crash

5. the stderr output may now contain user memory contents that wasn't meant to be available

It affects curl 7.14.1 to 7.61.1.


Discovery 2018-10-31
Entry 2018-11-01
curl
ge 7.14.1 lt 7.60.0

https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-16839.html
https://curl.haxx.se/docs/CVE-2018-16840.html
https://curl.haxx.se/docs/CVE-2018-16842.html
CVE-2018-16839
CVE-2018-16840
CVE-2018-16842
27f742f6-03f4-11e5-aab1-d050996490d0cURL -- sensitive HTTP server headers also sent to proxies

cURL reports:

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.


Discovery 2015-04-29
Entry 2015-05-26
curl
< 7.42.1

CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
ccace707-a8d8-11e7-ac58-b499baebfeafcURL -- out of bounds read

The cURL project reports:

FTP PWD response parser out of bounds read

libcurl may read outside of a heap allocated buffer when doing FTP.

When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses.

Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path.

A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault.


Discovery 2017-10-04
Entry 2017-10-04
curl
< 7.56.0

https://curl.haxx.se/docs/adv_20171004.html
CVE-2017-1000254
04fe6c8d-2a34-4009-a81e-e7a7e759b5d2cURL -- multiple vulnerabilities

cURL security problems:

CVE-2018-1000300: FTP shutdown response buffer overflow

curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.

When doing FTP transfers, curl keeps a spare "closure handle" around internally that will be used when an FTP connection gets shut down since the original curl easy handle is then already removed.

FTP server response data that gets cached from the original transfer might then be larger than the default buffer size (16 KB) allocated in the "closure handle", which can lead to a buffer overwrite. The contents and size of that overwrite is controllable by the server.

This situation was detected by an assert() in the code, but that was of course only preventing bad stuff in debug builds. This bug is very unlikely to trigger with non-malicious servers.

We are not aware of any exploit of this flaw.

CVE-2018-1000301: RTSP bad headers buffer over-read

curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded content.

When servers send RTSP responses back to curl, the data starts out with a set of headers. curl parses that data to separate it into a number of headers to deal with those appropriately and to find the end of the headers that signal the start of the "body" part.

The function that splits up the response into headers is called Curl_http_readwrite_headers() and in situations where it can't find a single header in the buffer, it might end up leaving a pointer pointing into the buffer instead of to the start of the buffer which then later on may lead to an out of buffer read when code assumes that pointer points to a full buffer size worth of memory to use.

This could potentially lead to information leakage but most likely a crash/denial of service for applications if a server triggers this flaw.

We are not aware of any exploit of this flaw.


Discovery 2018-05-16
Entry 2018-05-16
curl
< 7.60.0

https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/adv_2018-82c2.html
https://curl.haxx.se/docs/adv_2018-b138.html
CVE-2018-1000300
CVE-2018-1000301
0d7d104c-c6fb-11ed-8a4b-080027f5fec9curl -- multiple vulnerabilities

Harry Sintonen reports:

CVE-2023-27533
curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.
CVE-2023-27534
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse.
CVE-2023-27535
libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.
CVE-2023-27536
ibcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
CVE-2023-27537
libcurl supports sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.
CVE-2023-27538
libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.

Discovery 2023-03-20
Entry 2023-03-20
curl
< 8.0.0

CVE-2023-27533
CVE-2023-27534
CVE-2023-27535
CVE-2023-27536
CVE-2023-27537
CVE-2023-27538
https://curl.se/docs/security.html
04f29189-1a05-11e7-bc6e-b499baebfeafcURL -- potential memory disclosure

The cURL project reports:

There were two bugs in curl's parser for the command line option --write-out (or -w for short) that would skip the end of string zero byte if the string ended in a % (percent) or \ (backslash), and it would read beyond that buffer in the heap memory and it could then potentially output pieces of that memory to the terminal or the target file etc..

This flaw only exists in the command line tool.

We are not aware of any exploit of this flaw.


Discovery 2017-04-03
Entry 2017-04-05
Modified 2017-04-06
curl
ge 6.5 lt 7.53.1_1

https://curl.haxx.se/docs/adv_20170403.html
CVE-2017-7407
02e33cd1-c655-11ee-8613-08002784c58dcurl -- OCSP verification bypass with TLS session reuse

Hiroki Kurosawa reports:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.


Discovery 2024-01-31
Entry 2024-02-28
curl
< 8.6.0

CVE-2024-0853
https://curl.se/docs/CVE-2024-0853.html
c8c31c41-49ed-11df-83fb-0015587e2cc1curl -- libcurl buffer overflow vulnerability

The cURL project reports in a security advisory:

Using the affected libcurl version to download compressed content over HTTP, an application can ask libcurl to automatically uncompress data. When doing so, libcurl can wrongly send data up to 64K in size to the callback which thus is much larger than the documented maximum size.

An application that blindly trusts libcurl's max limit for a fixed buffer size or similar is then a possible target for a buffer overflow vulnerability.


Discovery 2010-02-09
Entry 2010-04-19
curl
ge 7.10.5 lt 7.20.0

CVE-2010-0734
http://curl.haxx.se/docs/adv_20100209.html
http://www.debian.org/security/2010/dsa-2023
http://www.openwall.com/lists/oss-security/2010/02/09/5
833b469b-5247-11ee-9667-080027f5fec9curl -- HTTP headers eat all memory

selmelc on hackerone reports:

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.


Discovery 2023-09-13
Entry 2023-09-13
curl
< 8.3.0

CVE-2023-38039
https://curl.se/docs/CVE-2023-38039.html HERE
a4f8bb03-f52f-11ed-9859-080027083a05curl -- multiple vulnerabilities

Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports:

This update fixes 4 security vulnerabilities:

  • Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21
  • Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02
  • Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17
  • Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19

Discovery 2023-03-21
Entry 2023-05-19
curl
< 8.1.0

CVE-2023-28319
https://curl.se/docs/CVE-2023-28319.html
CVE-2023-28320
https://curl.se/docs/CVE-2023-28320.html
CVE-2023-28321
https://curl.se/docs/CVE-2023-28321.html
CVE-2023-28322
https://curl.se/docs/CVE-2023-28322.html
0cbf0fa6-dcb7-469c-b87a-f94cffd94583cURL -- Multiple vulnerabilities

The cURL project reports:

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.


Discovery 2018-01-24
Entry 2018-01-26
curl
< 7.58.0

https://curl.haxx.se/docs/adv_2018-b3bf.html
CVE-2018-1000007
69cfa386-7cd0-11e7-867f-b499baebfeafcURL -- multiple vulnerabilities

The cURL project reports:

  • FILE buffer read out of bounds
  • TFTP sends more than buffer size
  • URL globbing out of bounds read

Discovery 2017-08-09
Entry 2017-08-09
curl
< 7.55.0

https://curl.haxx.se/docs/security.html
CVE-2017-1000099
CVE-2017-1000100
CVE-2017-1000101
42880202-c81c-11e6-a9a5-b499baebfeafcURL -- buffer overflow

The cURL project reports:

printf floating point buffer overflow

libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.


Discovery 2016-12-21
Entry 2016-12-22
curl
ge 7.1 lt 7.52

https://curl.haxx.se/docs/vuln-7.51.0.html
CVE-2016-9586
6294f75f-03f2-11e5-aab1-d050996490d0cURL -- multiple vulnerabilities

cURL reports:

libcurl keeps a pool of its last few connections around after use to facilitate easy, convenient, and completely transparent connection re-use for applications.

When doing HTTP requests NTLM authenticated, the entire connection becomes authenticated and not just the specific HTTP request which is otherwise how HTTP works. This makes NTLM special and a subject for special treatment in the code. With NTLM, once the connection is authenticated, no further authentication is necessary until the connection gets closed.

When doing HTTP requests Negotiate authenticated, the entire connection may become authenticated and not just the specific HTTP request which is otherwise how HTTP works, as Negotiate can basically use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request.

libcurl supports HTTP "cookies" as documented in RFC 6265. Together with each individual cookie there are several different properties, but for this vulnerability we focus on the associated "path" element. It tells information about for which path on a given host the cookies is valid.

The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to.

There is a private function in libcurl called fix_hostname() that removes a trailing dot from the host name if there is one. The function is called after the host name has been extracted from the URL libcurl has been told to act on.

If a URL is given with a zero-length host name, like in "http://:80" or just ":80", fix_hostname() will index the host name pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address.


Discovery 2015-04-22
Entry 2015-05-26
curl
< 7.42.0

http://curl.haxx.se/docs/adv_20150422A.html
http://curl.haxx.se/docs/adv_20150422B.html
http://curl.haxx.se/docs/adv_20150422C.html
http://curl.haxx.se/docs/adv_20150422D.html
CVE-2014-3143
CVE-2014-3144
CVE-2014-3145
CVE-2014-3148