{"url":"http://public2.vulnerablecode.io/api/packages/191848?format=json","purl":"pkg:ebuild/net-misc/curl@7.34.0-r1","type":"ebuild","namespace":"net-misc","name":"curl","version":"7.34.0-r1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"7.36.0","latest_non_vulnerable_version":"8.7.1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65634?format=json","vulnerability_id":"VCID-b76g-cq2w-t3a3","summary":"Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0249.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0249.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-0249","reference_id":"","reference_type":"","scores":[{"value":"0.44202","scoring_system":"epss","scoring_elements":"0.97617","published_at":"2026-06-04T12:55:00Z"},{"value":"0.44202","scoring_system":"epss","scoring_elements":"0.9762","published_at":"2026-06-05T12:55:00Z"},{"value":"0.44202","scoring_system":"epss","scoring_elements":"0.97622","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-0249"},{"reference_url":"https://curl.se/docs/CVE-2013-0249.html","reference_id":"","reference_type":"","scores":[{"value":"Critical","scoring_system":"cvssv3.1","scoring_elements":""}],"url":"https://curl.se/docs/CVE-2013-0249.html"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0249","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0249"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700002","reference_id":"700002","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700002"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=906779","reference_id":"906779","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=906779"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/dos/24487.py","reference_id":"CVE-2013-0249;OSVDB-89988","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/dos/24487.py"},{"reference_url":"https://security.gentoo.org/glsa/201401-14","reference_id":"GLSA-201401-14","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201401-14"},{"reference_url":"https://usn.ubuntu.com/1721-1/","reference_id":"USN-1721-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1721-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/191848?format=json","purl":"pkg:ebuild/net-misc/curl@7.34.0-r1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/net-misc/curl@7.34.0-r1"}],"aliases":["CVE-2013-0249"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b76g-cq2w-t3a3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65638?format=json","vulnerability_id":"VCID-cmcn-f8ws-q3h2","summary":"The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6422.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-6422.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-6422","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48857","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48919","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48928","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-6422"},{"reference_url":"https://curl.se/docs/CVE-2013-6422.html","reference_id":"","reference_type":"","scores":[{"value":"Medium","scoring_system":"cvssv3.1","scoring_elements":""}],"url":"https://curl.se/docs/CVE-2013-6422.html"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6422","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6422"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1037918","reference_id":"1037918","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1037918"},{"reference_url":"https://security.gentoo.org/glsa/201401-14","reference_id":"GLSA-201401-14","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201401-14"},{"reference_url":"https://usn.ubuntu.com/2058-1/","reference_id":"USN-2058-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/2058-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/191848?format=json","purl":"pkg:ebuild/net-misc/curl@7.34.0-r1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/net-misc/curl@7.34.0-r1"}],"aliases":["CVE-2013-6422"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cmcn-f8ws-q3h2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65635?format=json","vulnerability_id":"VCID-g72q-eedp-aufb","summary":"The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1944.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-1944.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1944","reference_id":"","reference_type":"","scores":[{"value":"0.02482","scoring_system":"epss","scoring_elements":"0.85568","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02482","scoring_system":"epss","scoring_elements":"0.8559","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02482","scoring_system":"epss","scoring_elements":"0.85595","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-1944"},{"reference_url":"https://curl.se/docs/CVE-2013-1944.html","reference_id":"","reference_type":"","scores":[{"value":"High","scoring_system":"cvssv3.1","scoring_elements":""}],"url":"https://curl.se/docs/CVE-2013-1944.html"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705274","reference_id":"705274","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705274"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=950577","reference_id":"950577","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=950577"},{"reference_url":"https://security.gentoo.org/glsa/201401-14","reference_id":"GLSA-201401-14","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201401-14"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:0771","reference_id":"RHSA-2013:0771","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:0771"},{"reference_url":"https://usn.ubuntu.com/1801-1/","reference_id":"USN-1801-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1801-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/191848?format=json","purl":"pkg:ebuild/net-misc/curl@7.34.0-r1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/net-misc/curl@7.34.0-r1"}],"aliases":["CVE-2013-1944"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g72q-eedp-aufb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65636?format=json","vulnerability_id":"VCID-hhu3-dp3m-gbgm","summary":"Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a \"%\" (percent) character.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2174.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-2174.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2174","reference_id":"","reference_type":"","scores":[{"value":"0.03181","scoring_system":"epss","scoring_elements":"0.872","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03181","scoring_system":"epss","scoring_elements":"0.87223","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03181","scoring_system":"epss","scoring_elements":"0.8722","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-2174"},{"reference_url":"https://curl.se/docs/CVE-2013-2174.html","reference_id":"","reference_type":"","scores":[{"value":"High","scoring_system":"cvssv3.1","scoring_elements":""}],"url":"https://curl.se/docs/CVE-2013-2174.html"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=965640","reference_id":"965640","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=965640"},{"reference_url":"https://security.gentoo.org/glsa/201401-14","reference_id":"GLSA-201401-14","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201401-14"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:0983","reference_id":"RHSA-2013:0983","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:0983"},{"reference_url":"https://usn.ubuntu.com/1894-1/","reference_id":"USN-1894-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/1894-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/191848?format=json","purl":"pkg:ebuild/net-misc/curl@7.34.0-r1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/net-misc/curl@7.34.0-r1"}],"aliases":["CVE-2013-2174"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hhu3-dp3m-gbgm"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:ebuild/net-misc/curl@7.34.0-r1"}