VuXML ID | Description |
c9221ec9-17a2-11ec-b335-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
- UAF and double-free in MQTT sending (CVE-2021-22945)
- Protocol downgrade required TLS bypassed (CVE-2021-22946)
- STARTTLS protocol injection via MITM (CVE-2021-22945)
Discovery 2021-09-15 Entry 2021-09-17 Modified 2021-09-28 curl
ge 7.20.0 lt 7.79.0
CVE-2021-22945
CVE-2021-22946
CVE-2021-22947
https://curl.se/docs/security.html
|
69cfa386-7cd0-11e7-867f-b499baebfeaf | cURL -- multiple vulnerabilities
The cURL project reports:
- FILE buffer read out of bounds
- TFTP sends more than buffer size
- URL globbing out of bounds read
Discovery 2017-08-09 Entry 2017-08-09 curl
< 7.55.0
https://curl.haxx.se/docs/security.html
CVE-2017-1000099
CVE-2017-1000100
CVE-2017-1000101
|
04f29189-1a05-11e7-bc6e-b499baebfeaf | cURL -- potential memory disclosure
The cURL project reports:
There were two bugs in curl's parser for the command line option
--write-out (or -w for short) that would skip the end of string
zero byte if the string ended in a % (percent) or \ (backslash),
and it would read beyond that buffer in the heap memory and it
could then potentially output pieces of that memory to the
terminal or the target file etc..
This flaw only exists in the command line tool.
We are not aware of any exploit of this flaw.
Discovery 2017-04-03 Entry 2017-04-05 Modified 2017-04-06 curl
ge 6.5 lt 7.53.1_1
https://curl.haxx.se/docs/adv_20170403.html
CVE-2017-7407
|
714b033a-2b09-11e9-8bc3-610fd6e6cd05 | curl -- multiple vulnerabilities
curl security problems:
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
libcurl contains a heap buffer out-of-bounds read flaw.
The function handling incoming NTLM type-2 messages
(lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming
data correctly and is subject to an integer overflow vulnerability.
Using that overflow, a malicious or broken NTLM server could trick
libcurl to accept a bad length + offset combination that would lead to a
buffer read out-of-bounds.
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
libcurl contains a stack based buffer overflow vulnerability.
The function creating an outgoing NTLM type-3 header
(lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the
request HTTP header contents based on previously received data. The
check that exists to prevent the local buffer from getting overflowed is
implemented wrongly (using unsigned math) and as such it does not
prevent the overflow from happening.
This output data can grow larger than the local buffer if very large
"nt response" data is extracted from a previous NTLMv2 header provided
by the malicious or broken HTTP server.
Such a "large value" needs to be around 1000 bytes or more. The actual
payload data copied to the target buffer comes from the NTLMv2 type-2
response header.
CVE-2019-3823: SMTP end-of-response out-of-bounds read
libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.
If the buffer passed to smtp_endofresp() isn't NUL terminated and
contains no character ending the parsed number, and len is set to 5,
then the strtol() call reads beyond the allocated buffer. The read
contents will not be returned to the caller.
Discovery 2019-02-07 Entry 2019-02-07 curl
< 7.64.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-16890.html
https://curl.haxx.se/docs/CVE-2019-3822.html
https://curl.haxx.se/docs/CVE-2019-3823.html
CVE-2018-16890
CVE-2019-3822
CVE-2019-3823
|
aa646c01-ea0d-11eb-9b84-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
CURLOPT_SSLCERT mixup with Secure Transport (CVE-2021-22926)
TELNET stack contents disclosure again (CVE-2021-22925)
Bad connection reuse due to flawed path name checks (CVE-2021-92254)
Metalink download sends credentials (CVE-2021-92253)
Wrong content via metalink not discarded (CVE-2021-92252)
Discovery 2021-07-21 Entry 2021-07-21 curl
< 7.78.0
CVE-2021-22922
CVE-2021-22923
CVE-2021-22924
CVE-2021-22925
CVE-2021-22926
https://curl.se/docs/vuln-7.77.0.html
|
ccace707-a8d8-11e7-ac58-b499baebfeaf | cURL -- out of bounds read
The cURL project reports:
FTP PWD response parser out of bounds read
libcurl may read outside of a heap allocated buffer when doing FTP.
When libcurl connects to an FTP server and successfully logs in
(anonymous or not), it asks the server for the current directory with
the PWD command. The server then responds with a 257 response containing
the path, inside double quotes. The returned path name is then kept by
libcurl for subsequent uses.
Due to a flaw in the string parser for this directory name, a directory
name passed like this but without a closing double quote would lead to
libcurl not adding a trailing NUL byte to the buffer holding the name.
When libcurl would then later access the string, it could read beyond
the allocated heap buffer and crash or wrongly access data beyond the
buffer, thinking it was part of the path.
A malicious server could abuse this fact and effectively prevent
libcurl-based clients to work with it - the PWD command is always issued
on new FTP connections and the mistake has a high chance of causing a
segfault.
Discovery 2017-10-04 Entry 2017-10-04 curl
< 7.56.0
https://curl.haxx.se/docs/adv_20171004.html
CVE-2017-1000254
|
6bff5ca6-b61a-11ea-aef4-08002728f74c | curl -- multiple vulnerabilities
curl security problems:
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the
host name before it resolves it, potentially leaking the partial
password over the network and to the DNS server(s).
libcurl can be given a username and password for HTTP
authentication when requesting an HTTP resource - used for HTTP
Authentication such as Basic, Digest, NTLM and similar. The
credentials are set, either together with CURLOPT_USERPWD or
separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important
detail: these strings are given to libcurl as plain C strings and
they are not supposed to be URL encoded.
In addition, libcurl also allows the credentials to be set in the
URL, using the standard RFC 3986 format:
http://user:password@host/path. In this case, the name and password
are URL encoded as that's how they appear in URLs.
If the options are set, they override the credentials set in the
URL.
Internally, this is handled by storing the credentials in the "URL
object" so that there is only a single set of credentials stored
associated with this single URL.
When libcurl handles a relative redirect (as opposed to an
absolute URL redirect) for an HTTP transfer, the server is only
sending a new path to the client and that path is applied on to the
existing URL. That "applying" of the relative path on top of an
absolute URL is done by libcurl first generating a full absolute
URL out of all the components it has, then it applies the redirect
and finally it deconstructs the URL again into its separate
components.
This security vulnerability originates in the fact that curl did
not correctly URL encode the credential data when set using one of
the curl_easy_setopt options described above. This made curl
generate a badly formatted full URL when it would do a redirect and
the final re-parsing of the URL would then go bad and wrongly
consider a part of the password field to belong to the host name.
The wrong host name would then be used in a name resolve lookup,
potentially leaking the host name + partial password in clear text
over the network (if plain DNS was used) and in particular to the
used DNS server(s).
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local
file when using -J (--remote-header-name) and -i (--include) in the
same command line.
The command line tool offers the -J option that saves a remote
file using the file name present in the Content-Disposition:
response header. curl then refuses to overwrite an existing local
file using the same name, if one already exists in the current
directory.
The -J flag is designed to save a response body, and so it doesn't
work together with -i and there's logic that forbids it. However,
the check is flawed and doesn't properly check for when the options
are used in the reversed order: first using -J and then -i were
mistakenly accepted.
The result of this mistake was that incoming HTTP headers could
overwrite a local file if one existed, as the check to avoid the
local file was done first when body data was received, and due to
the mistake mentioned above, it could already have received and
saved headers by that time.
The saved file would only get response headers added to it, as it
would abort the saving when the first body byte arrives. A
malicious server could however still be made to send back virtually
anything as headers and curl would save them like this, until the
first CRLF-CRLF sequence appears.
(Also note that -J needs to be used in combination with -O to have
any effect.)
Discovery 2020-06-24 Entry 2020-06-24 curl
ge 7.20.0 lt 7.71.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2020-8169.html
https://curl.haxx.se/docs/CVE-2020-8177.html
CVE-2020-8169
CVE-2020-8177
|
0cbf0fa6-dcb7-469c-b87a-f94cffd94583 | cURL -- Multiple vulnerabilities
The cURL project reports:
libcurl 7.1 through 7.57.0 might accidentally leak authentication
data to third parties. When asked to send custom headers in its HTTP
requests, libcurl will send that set of headers first to the host in
the initial URL but also, if asked to follow redirects and a 30X HTTP
response code is returned, to the host mentioned in URL in the
`Location:` response header value. Sending the same set of headers to
subsequest hosts is in particular a problem for applications that pass
on custom `Authorization:` headers, as this header often contains
privacy sensitive information or data that could allow others to
impersonate the libcurl-using client's request.
Discovery 2018-01-24 Entry 2018-01-26 curl
< 7.58.0
https://curl.haxx.se/docs/adv_2018-b3bf.html
CVE-2018-1000007
|
e0ab1773-07c1-46c6-9170-4c5e81c00927 | curl -- multiple vulnerabilities
curl security problems:
CVE-2018-16839: SASL password overflow via integer overflow
libcurl contains a buffer overrun in the SASL authentication code.
The internal function Curl_auth_create_plain_message fails to
correctly verify that the passed in lengths for name and password
aren't too long, then calculates a buffer size to allocate.
On systems with a 32 bit size_t, the math to calculate the buffer size
triggers an integer overflow when the user name length exceeds 2GB
(2^31 bytes). This integer overflow usually causes a very small buffer
to actually get allocated instead of the intended very huge one, making
the use of that buffer end up in a heap buffer overflow.
This bug is very similar to CVE-2017-14618.
It affects curl 7.33.0 to 7.61.1.
CVE-2018-16840: use-after-free in handle close
libcurl contains a heap use-after-free flaw in code related to closing
an easy handle.
When closing and cleaning up an "easy" handle in the Curl_close()
function, the library code first frees a struct (without nulling the
pointer) and might then subsequently erroneously write to a struct
field within that already freed struct.
It affects curl 7.59.0 to 7.61.1.
CVE-2018-16842: warning message out-of-buffer read
curl contains a heap out of buffer read vulnerability.
The command line tool has a generic function for displaying warning
and informational messages to stderr for various situations. For
example if an unknown command line argument is used, or passed to it in
a "config" file.
This display function formats the output to wrap at 80 columns. The
wrap logic is however flawed, so if a single word in the message is
itself longer than 80 bytes the buffer arithmetic calculates the
remainder wrong and will end up reading behind the end of the buffer.
This could lead to information disclosure or crash.
This vulnerability could lead to a security issue if used in this or
similar situations:
1. a server somewhere uses the curl command line to run something
2. if it fails, it shows stderr to the user
3. the server takes user input for parts of its command line input
4. user provides something overly long that triggers this crash
5. the stderr output may now contain user memory contents that wasn't
meant to be available
It affects curl 7.14.1 to 7.61.1.
Discovery 2018-10-31 Entry 2018-11-01 curl
ge 7.14.1 lt 7.60.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-16839.html
https://curl.haxx.se/docs/CVE-2018-16840.html
https://curl.haxx.se/docs/CVE-2018-16842.html
CVE-2018-16839
CVE-2018-16840
CVE-2018-16842
|
3c77f139-3a09-11eb-929d-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
Trusting FTP PASV responses (CVE-2020-8284)
FTP wildcard stack overflow (CVE-2020-8285)
Inferior OCSP verification (CVE-2020-8286)
Discovery 2020-12-09 Entry 2020-12-09 curl
gt 4.0 lt 7.74.0
https://curl.se/docs/security.html
CVE-2020-8284
CVE-2020-8285
CVE-2020-8286
|
b1194286-958e-11eb-9c34-080027f515ea | curl -- Automatic referer leaks credentials
Daniel Stenberg reports:
libcurl does not strip off user credentials from the URL when
automatically populating the Referer: HTTP request header field
in outgoing HTTP requests, and therefore risks leaking sensitive
data to the server that is the target of the second HTTP request.
libcurl automatically sets the Referer: HTTP request header field
in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set.
With the curl tool, it is enabled with --referer ";auto".
Discovery 2021-03-31 Entry 2021-04-10 curl
ge 7.1.1 lt 7.76.0
CVE-2021-22876
https://curl.se/docs/CVE-2021-22876.html
|
143ec3d6-b7cf-11e7-ac58-b499baebfeaf | cURL -- out of bounds read
The cURL project reports:
libcurl contains a buffer overrun flaw in the IMAP handler.
An IMAP FETCH response line indicates the size of the returned data,
in number of bytes. When that response says the data is zero bytes,
libcurl would pass on that (non-existing) data with a pointer and
the size (zero) to the deliver-data function.
libcurl's deliver-data function treats zero as a magic number and
invokes strlen() on the data to figure out the length. The strlen()
is called on a heap based buffer that might not be zero terminated
so libcurl might read beyond the end of it into whatever memory lies
after (or just crash) and then deliver that to the application as if
it was actually downloaded.
Discovery 2017-10-23 Entry 2017-10-23 curl
ge 7.20 lt 7.56.1
https://curl.haxx.se/docs/adv_20171023.html
CVE-2017-1000257
|
11e36890-d28c-11ec-a06f-d4c9ef517024 | curl -- Multiple vulnerabilities
The curl project reports:
CVE-2022-27778: curl removes wrong file on error
CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27780: percent-encoded path separator in URL host
CVE-2022-27781: CERTINFO never-ending busy-loop
CVE-2022-27782: TLS and SSH connection too eager reuse
CVE-2022-30115: HSTS bypass via trailing dot
Discovery 2022-05-11 Entry 2022-05-13 curl
< 7.83.1
CVE-2022-27778
CVE-2022-27779
CVE-2022-27780
CVE-2022-27781
CVE-2022-27782
CVE-2022-30115
https://curl.se/docs/security.html
|
301a01b7-d50e-11e7-ac58-b499baebfeaf | cURL -- Multiple vulnerabilities
The cURL project reports:
- NTLM buffer overflow via integer overflow
(CVE-2017-8816)
libcurl contains a buffer overrun flaw
in the NTLM authentication code.
The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up
the lengths of the user name + password (= SUM) and multiplies
the sum by two (= SIZE) to figure out how large storage to
allocate from the heap.
- FTP wildcard out of bounds read (CVE-2017-8817)
libcurl contains a read out of bounds flaw in the FTP wildcard
function.
libcurl's FTP wildcard matching feature, which is enabled with
the CURLOPT_WILDCARDMATCH option can use a built-in wildcard
function or a user provided one. The built-in wildcard function
has a flaw that makes it not detect the end of the pattern
string if it ends with an open bracket ([) but instead it will
continue reading the heap beyond the end of the URL buffer that
holds the wildcard.
- SSL out of buffer access (CVE-2017-8818)
libcurl contains an out boundary access flaw in SSL related code.
When allocating memory for a connection (the internal struct
called connectdata), a certain amount of memory is allocated at
the end of the struct to be used for SSL related structs. Those
structs are used by the particular SSL library libcurl is built
to use. The application can also tell libcurl which specific SSL
library to use if it was built to support more than one.
Discovery 2017-11-29 Entry 2017-11-29 Modified 2017-12-11 curl
ge 7.21.0 lt 7.57.0
linux-c7-curl
ge 7.21.0 lt 7.29.0_4
https://curl.haxx.se/changes.html
CVE-2017-8816
CVE-2017-8817
CVE-2017-8818
|
f4d638b9-e6e5-4dbe-8c70-571dbc116174 | curl -- password overflow vulnerability
curl security problems:
CVE-2018-14618: NTLM password overflow via integer overflow
The internal function Curl_ntlm_core_mk_nt_hash multiplies the length
of the password by two (SUM) to figure out how large temporary storage
area to allocate from the heap.
The length value is then subsequently used to iterate over the
password and generate output into the allocated storage buffer. On
systems with a 32 bit size_t, the math to calculate SUM triggers an
integer overflow when the password length exceeds 2GB (2^31 bytes).
This integer overflow usually causes a very small buffer to actually
get allocated instead of the intended very huge one, making the use of
that buffer end up in a heap buffer overflow.
This bug is almost identical to CVE-2017-8816.
Discovery 2018-09-05 Entry 2018-09-05 Modified 2019-08-03 curl
ge 7.15.4 lt 7.61.1
linux-c7-curl
< 7.29.0_6
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2018-14618.html
CVE-2018-14618
|
dd343a2b-7ee7-11e9-a290-8ddc52868fa9 | curl -- multiple vulnerabilities
curl security problems:
CVE-2019-5435: Integer overflows in curl_url_set()
libcurl contains two integer overflows in the curl_url_set()
function that if triggered, can lead to a too small buffer
allocation and a subsequent heap buffer overflow.
The flaws only exist on 32 bit architectures and require
excessive string input lengths.
CVE-2019-5436: TFTP receive buffer overflow
libcurl contains a heap buffer overflow in the function
(tftp_receive_packet()) that recevives data from a TFTP server. It
calls recvfrom() with the default size for the buffer rather than
with the size that was used to allocate it. Thus, the content that
might overwrite the heap memory is entirely controlled by the server.
The flaw exists if the user selects to use a "blksize" of 504 or
smaller (default is 512). The smaller size that is used, the larger
the possible overflow becomes.
Users chosing a smaller size than default should be rare as the
primary use case for changing the size is to make it larger.
It is rare for users to use TFTP across the Internet. It is most
commonly used within local networks.
Discovery 2019-05-22 Entry 2019-05-25 Modified 2019-05-26 curl
ge 7.19.4 lt 7.65.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2019-5435.html
https://curl.haxx.se/docs/CVE-2019-5436.html
CVE-2019-5435
CVE-2019-5436
|
b905dff4-e227-11ea-b0ea-08002728f74c | curl -- expired pointer dereference vulnerability
curl security problems:
CVE-2020-8231: wrong connect-only connection
An application that performs multiple requests with libcurl's multi API
and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances
experience that when subsequently using the setup connect-only transfer,
libcurl will pick and use the wrong connection - and instead pick
another one the application has created since then.
CURLOPT_CONNECT_ONLY is the option to tell libcurl to not perform an
actual transfer, only connect. When that operation is completed, libcurl
remembers which connection it used for that transfer and "easy handle".
It remembers the connection using a pointer to the internal connectdata
struct in memory.
If more transfers are then done with the same multi handle before the
connect-only connection is used, leading to the initial connect-only
connection to get closed (for example due to idle time-out) while also
new transfers (and connections) are setup, such a new connection might
end up getting the exact same memory address as the now closed
connect-only connection.
If after those operations, the application then wants to use the
original transfer's connect-only setup to for example use
curl_easy_send() to send raw data over that connection, libcurl could
erroneously find an existing connection still being alive at the address
it remembered since before even though this is now a new and different
connection.
The application could then accidentally send data over that connection
which wasn't at all intended for that recipient, entirely unknowingly.
Discovery 2020-08-19 Entry 2020-08-19 curl
ge 7.29.0 lt 7.72.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2020-8231.html
CVE-2020-8231
|
9fb4e57b-d65a-11e9-8a5f-e5c82b486287 | curl -- multiple vulnerabilities
curl security problems:
CVE-2019-5481: FTP-KRB double-free
libcurl can be told to use kerberos over FTP to a server, as set with
the CURLOPT_KRBLEVEL option.
During such kerberos FTP data transfer, the server sends data to curl
in blocks with the 32 bit size of each block first and then that amount
of data immediately following.
A malicious or just broken server can claim to send a very large block
and if by doing that it makes curl's subsequent call to realloc() to
fail, curl would then misbehave in the exit path and double-free the
memory.
In practical terms, an up to 4 GB memory area may very well be fine to
allocate on a modern 64 bit system but on 32 bit systems it will fail.
Kerberos FTP is a rarely used protocol with curl. Also, Kerberos
authentication is usually only attempted and used with servers that the
client has a previous association with.
CVE-2019-5482: TFTP small blocksize heap buffer overflow
libcurl contains a heap buffer overflow in the function
(tftp_receive_packet()) that receives data from a TFTP server. It can
call recvfrom() with the default size for the buffer rather than with
the size that was used to allocate it. Thus, the content that might
overwrite the heap memory is controlled by the server.
This flaw is only triggered if the TFTP server sends an OACK without
the BLKSIZE option, when a BLKSIZE smaller than 512 bytes was requested
by the TFTP client. OACK is a TFTP extension and is not used by all
TFTP servers.
Users choosing a smaller block size than default should be rare as the
primary use case for changing the size is to make it larger.
It is rare for users to use TFTP across the Internet. It is most
commonly used within local networks. TFTP as a protocol is always
inherently insecure.
This issue was introduced by the add of the TFTP BLKSIZE option
handling. It was previously incompletely fixed by an almost identical
issue called CVE-2019-5436.
Discovery 2019-09-11 Entry 2019-09-14 curl
ge 7.19.4 lt 7.66.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/CVE-2019-5481.html
https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5481
CVE-2019-5482
|
9314058e-5204-11e7-b712-b1a44a034d72 | cURL -- URL file scheme drive letter buffer overflow
cURL security advisory:
When libcurl is given either
1. a file: URL that doesn't use two slashes following the colon, or
2. is told that file is the default scheme to use for URLs without scheme
... and the given path starts with a drive letter and libcurl is built for
Windows or DOS, then libcurl would copy the path with a wrong offset, so that
the end of the given path would write beyond the malloc buffer. Up to seven
bytes too much.
We are not aware of any exploit of this flaw.
Discovery 2017-06-14 Entry 2017-06-15 curl
ge 7.53.0 lt 7.54.1
CVE-2017-9502
https://curl.haxx.se/docs/adv_20170614.html
|
ae5722a6-f5f0-11ec-856e-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
- CVE-2022-32205: Set-Cookie denial of service
- CVE-2022-32206: HTTP compression denial of service
- CVE-2022-32207: Unpreserved file permissions
- CVE-2022-32208: FTP-KRB bad message verification
Discovery 2022-06-27 Entry 2022-06-27 curl
ge 7.16.4 lt 7.84.0
CVE-2022-32205
CVE-2022-32206
CVE-2022-32207
CVE-2022-32208
https://curl.se/docs/security.html
|
3e2e9b44-25ce-11e7-a175-939b30e0836d | cURL -- TLS session resumption client cert bypass (again)
cURL security advisory:
libcurl would attempt to resume a TLS session even if the client
certificate had changed. That is unacceptable since a server by
specification is allowed to skip the client certificate check on
resume, and may instead use the old identity which was established
by the previous certificate (or no certificate).
libcurl supports by default the use of TLS session id/ticket to
resume previous TLS sessions to speed up subsequent TLS handshakes.
They are used when for any reason an existing TLS connection
couldn't be kept alive to make the next handshake faster.
This flaw is a regression and identical to CVE-2016-5419 reported
on August 3rd 2016, but affecting a different version range.
Discovery 2017-04-19 Entry 2017-04-20 curl
ge 7.52.0 lt 7.54.0
CVE-2017-7468
https://curl.haxx.se/docs/adv_20170419.html
|
04fe6c8d-2a34-4009-a81e-e7a7e759b5d2 | cURL -- multiple vulnerabilities
cURL security problems:
CVE-2018-1000300: FTP shutdown response buffer overflow
curl might overflow a heap based memory buffer when closing down an
FTP connection with very long server command replies.
When doing FTP transfers, curl keeps a spare "closure handle" around
internally that will be used when an FTP connection gets shut down
since the original curl easy handle is then already removed.
FTP server response data that gets cached from the original transfer
might then be larger than the default buffer size (16 KB) allocated in
the "closure handle", which can lead to a buffer overwrite. The
contents and size of that overwrite is controllable by the server.
This situation was detected by an assert() in the code, but that was
of course only preventing bad stuff in debug builds. This bug is very
unlikely to trigger with non-malicious servers.
We are not aware of any exploit of this flaw.
CVE-2018-1000301: RTSP bad headers buffer over-read
curl can be tricked into reading data beyond the end of a heap based
buffer used to store downloaded content.
When servers send RTSP responses back to curl, the data starts out
with a set of headers. curl parses that data to separate it into a
number of headers to deal with those appropriately and to find the end
of the headers that signal the start of the "body" part.
The function that splits up the response into headers is called
Curl_http_readwrite_headers() and in situations where it can't find a
single header in the buffer, it might end up leaving a pointer pointing
into the buffer instead of to the start of the buffer which then later
on may lead to an out of buffer read when code assumes that pointer
points to a full buffer size worth of memory to use.
This could potentially lead to information leakage but most likely a
crash/denial of service for applications if a server triggers this flaw.
We are not aware of any exploit of this flaw.
Discovery 2018-05-16 Entry 2018-05-16 curl
< 7.60.0
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/docs/adv_2018-82c2.html
https://curl.haxx.se/docs/adv_2018-b138.html
CVE-2018-1000300
CVE-2018-1000301
|
92a4d881-c6cf-11ec-a06f-d4c9ef517024 | cURL -- Multiple vulnerabilities
The cURL project reports:
- OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
- Credential leak on redirect (CVE-2022-27774)
- Bad local IPv6 connection reuse (CVE-2022-27775)
- Auth/cookie leak on redirect (CVE-2022-27776)
Discovery 2022-04-27 Entry 2022-04-28 curl
< 7.83.0
CVE-2022-22576
CVE-2022-27774
CVE-2022-27775
CVE-2022-27776
https://curl.se/docs/vuln-7.82.0.html
|