Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:alpm/archlinux/curl@7.56.0-1

Type alpm

Namespace archlinux

Name curl

Version 7.56.0-1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 7.58.0-1

Latest_non_vulnerable_version 8.14.1-1

Affected_by_vulnerabilities

url VCID-swmn-7ns9-ekg1

vulnerability_id VCID-swmn-7ns9-ekg1

summary An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000257.json

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000257.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-1000257

reference_id

reference_type

scores

value	0.00863
scoring_system	epss
scoring_elements	0.75471
published_at	2026-06-06T12:55:00Z

value	0.00863
scoring_system	epss
scoring_elements	0.75467
published_at	2026-06-05T12:55:00Z

value	0.00863
scoring_system	epss
scoring_elements	0.75461
published_at	2026-06-07T12:55:00Z

value	0.00863
scoring_system	epss
scoring_elements	0.75438
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-1000257

reference_url

https://curl.se/docs/CVE-2017-1000257.html

reference_id

reference_type

scores

value	Medium
scoring_system	cvssv3.1
scoring_elements

url

https://curl.se/docs/CVE-2017-1000257.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4
scoring_system	cvssv2
scoring_elements	AV:N/AC:H/Au:N/C:N/I:P/A:P

value	4.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

http://www.securityfocus.com/bid/101519

reference_id

101519

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T21:02:33Z/

url

http://www.securityfocus.com/bid/101519

reference_url

http://www.securitytracker.com/id/1039644

reference_id

1039644

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T21:02:33Z/

url

http://www.securitytracker.com/id/1039644

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1503705
reference_id	1503705
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1503705

reference_url

https://curl.haxx.se/docs/adv_20171023.html

reference_id

adv_20171023.html

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T21:02:33Z/

url

https://curl.haxx.se/docs/adv_20171023.html

reference_url	https://security.archlinux.org/ASA-201711-10
reference_id	ASA-201711-10
reference_type
scores
url	https://security.archlinux.org/ASA-201711-10

reference_url	https://security.archlinux.org/ASA-201711-11
reference_id	ASA-201711-11
reference_type
scores
url	https://security.archlinux.org/ASA-201711-11

reference_url	https://security.archlinux.org/ASA-201711-6
reference_id	ASA-201711-6
reference_type
scores
url	https://security.archlinux.org/ASA-201711-6

reference_url	https://security.archlinux.org/ASA-201711-7
reference_id	ASA-201711-7
reference_type
scores
url	https://security.archlinux.org/ASA-201711-7

reference_url	https://security.archlinux.org/ASA-201711-8
reference_id	ASA-201711-8
reference_type
scores
url	https://security.archlinux.org/ASA-201711-8

reference_url	https://security.archlinux.org/ASA-201711-9
reference_id	ASA-201711-9
reference_type
scores
url	https://security.archlinux.org/ASA-201711-9

reference_url

https://security.archlinux.org/AVG-462

reference_id

AVG-462

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-462

reference_url

https://security.archlinux.org/AVG-463

reference_id

AVG-463

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-463

reference_url

https://security.archlinux.org/AVG-464

reference_id

AVG-464

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-464

reference_url

https://security.archlinux.org/AVG-465

reference_id

AVG-465

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-465

reference_url

https://security.archlinux.org/AVG-466

reference_id

AVG-466

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-466

reference_url

https://security.archlinux.org/AVG-467

reference_id

AVG-467

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-467

reference_url

http://www.debian.org/security/2017/dsa-4007

reference_id

dsa-4007

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T21:02:33Z/

url

http://www.debian.org/security/2017/dsa-4007

reference_url

https://security.gentoo.org/glsa/201712-04

reference_id

GLSA-201712-04

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T21:02:33Z/

url

https://security.gentoo.org/glsa/201712-04

reference_url

https://access.redhat.com/errata/RHSA-2017:3263

reference_id

RHSA-2017:3263

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-15T21:02:33Z/

url

https://access.redhat.com/errata/RHSA-2017:3263

reference_url	https://usn.ubuntu.com/3441-2/
reference_id	USN-3441-2
reference_type
scores
url	https://usn.ubuntu.com/3441-2/

reference_url	https://usn.ubuntu.com/3457-1/
reference_id	USN-3457-1
reference_type
scores
url	https://usn.ubuntu.com/3457-1/

fixed_packages

url pkg:alpm/archlinux/curl@7.56.1-1

purl pkg:alpm/archlinux/curl@7.56.1-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7jrx-ykk8-h3gp

vulnerability	VCID-dj48-3dkt-dbdh

vulnerability	VCID-f8vu-23bb-5ue7

resource_url http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/curl@7.56.1-1

aliases CVE-2017-1000257

risk_score 4.1

exploitability 0.5

weighted_severity 8.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-swmn-7ns9-ekg1

Fixing_vulnerabilities

url VCID-naac-snjw-qbad

vulnerability_id VCID-naac-snjw-qbad

summary libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000254.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000254.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-1000254

reference_id

reference_type

scores

value	0.01318
scoring_system	epss
scoring_elements	0.80206
published_at	2026-06-04T12:55:00Z

value	0.01318
scoring_system	epss
scoring_elements	0.80229
published_at	2026-06-07T12:55:00Z

value	0.01318
scoring_system	epss
scoring_elements	0.80233
published_at	2026-06-06T12:55:00Z

value	0.01318
scoring_system	epss
scoring_elements	0.8023
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-1000254

reference_url

https://curl.se/docs/CVE-2017-1000254.html

reference_id

reference_type

scores

value	Medium
scoring_system	cvssv3.1
scoring_elements

url

https://curl.se/docs/CVE-2017-1000254.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv2
scoring_elements	AV:N/AC:H/Au:N/C:N/I:N/A:P

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1495541
reference_id	1495541
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1495541

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877671
reference_id	877671
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877671

reference_url	https://security.archlinux.org/ASA-201710-2
reference_id	ASA-201710-2
reference_type
scores
url	https://security.archlinux.org/ASA-201710-2

reference_url	https://security.archlinux.org/ASA-201710-3
reference_id	ASA-201710-3
reference_type
scores
url	https://security.archlinux.org/ASA-201710-3

reference_url	https://security.archlinux.org/ASA-201710-4
reference_id	ASA-201710-4
reference_type
scores
url	https://security.archlinux.org/ASA-201710-4

reference_url	https://security.archlinux.org/ASA-201710-5
reference_id	ASA-201710-5
reference_type
scores
url	https://security.archlinux.org/ASA-201710-5

reference_url	https://security.archlinux.org/ASA-201710-6
reference_id	ASA-201710-6
reference_type
scores
url	https://security.archlinux.org/ASA-201710-6

reference_url	https://security.archlinux.org/ASA-201710-7
reference_id	ASA-201710-7
reference_type
scores
url	https://security.archlinux.org/ASA-201710-7

reference_url

https://security.archlinux.org/AVG-371

reference_id

AVG-371

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-371

reference_url

https://security.archlinux.org/AVG-386

reference_id

AVG-386

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-386

reference_url

https://security.archlinux.org/AVG-387

reference_id

AVG-387

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-387

reference_url

https://security.archlinux.org/AVG-388

reference_id

AVG-388

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-388

reference_url

https://security.archlinux.org/AVG-389

reference_id

AVG-389

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-389

reference_url

https://security.archlinux.org/AVG-422

reference_id

AVG-422

reference_type

scores

value	Low
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-422

reference_url	https://security.gentoo.org/glsa/201712-04
reference_id	GLSA-201712-04
reference_type
scores
url	https://security.gentoo.org/glsa/201712-04

reference_url	https://usn.ubuntu.com/3441-1/
reference_id	USN-3441-1
reference_type
scores
url	https://usn.ubuntu.com/3441-1/

reference_url	https://usn.ubuntu.com/3441-2/
reference_id	USN-3441-2
reference_type
scores
url	https://usn.ubuntu.com/3441-2/

fixed_packages

url pkg:alpm/archlinux/curl@7.56.0-1

purl pkg:alpm/archlinux/curl@7.56.0-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-swmn-7ns9-ekg1

resource_url http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/curl@7.56.0-1

aliases CVE-2017-1000254

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-naac-snjw-qbad

Risk_score 4.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:alpm/archlinux/curl@7.56.0-1

Package Instance