Search for packages
| purl | pkg:deb/debian/curl@7.74.0-1.3%2Bdeb11u9 |
| Tags | Ghost |
| Next non-vulnerable version | 7.88.1-10+deb12u6~bpo11+1 |
| Latest non-vulnerable version | 8.14.1-2 |
| Risk | 4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7j8d-dux3-aaaa
Aliases: CVE-2023-28320 |
A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9ee5-xkhm-aaad
Aliases: CVE-2021-22923 |
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fz5g-qsdx-aaah
Aliases: CVE-2022-43551 |
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-naz1-7t8w-aaar
Aliases: CVE-2021-22922 |
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nk4q-jbuf-aaac
Aliases: CVE-2022-42916 |
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ptfv-zjv6-aaad
Aliases: CVE-2023-23914 |
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-y163-ytv8-aaad
Aliases: CVE-2023-23915 |
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2024-01-12T12:36:59.384263+00:00 | Debian Importer | Affected by | VCID-7j8d-dux3-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T12:36:45.721042+00:00 | Debian Importer | Affected by | VCID-7j8d-dux3-aaaa | None | 34.0.0rc2 |
| 2024-01-12T11:53:20.035748+00:00 | Debian Importer | Affected by | VCID-y163-ytv8-aaad | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T11:53:05.560528+00:00 | Debian Importer | Affected by | VCID-y163-ytv8-aaad | None | 34.0.0rc2 |
| 2024-01-12T11:52:50.417284+00:00 | Debian Importer | Affected by | VCID-ptfv-zjv6-aaad | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T11:52:27.396662+00:00 | Debian Importer | Affected by | VCID-ptfv-zjv6-aaad | None | 34.0.0rc2 |
| 2024-01-12T07:17:54.565431+00:00 | Debian Importer | Affected by | VCID-fz5g-qsdx-aaah | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T07:17:50.399772+00:00 | Debian Importer | Affected by | VCID-fz5g-qsdx-aaah | None | 34.0.0rc2 |
| 2024-01-12T07:00:12.086002+00:00 | Debian Importer | Affected by | VCID-nk4q-jbuf-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-12T06:59:57.066477+00:00 | Debian Importer | Affected by | VCID-nk4q-jbuf-aaac | None | 34.0.0rc2 |
| 2024-01-10T22:36:46.060151+00:00 | Debian Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-10T22:36:31.281323+00:00 | Debian Importer | Affected by | VCID-9ee5-xkhm-aaad | None | 34.0.0rc2 |
| 2024-01-10T22:35:57.114009+00:00 | Debian Importer | Affected by | VCID-naz1-7t8w-aaar | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-10T22:35:52.425688+00:00 | Debian Importer | Affected by | VCID-naz1-7t8w-aaar | None | 34.0.0rc2 |
| 2024-01-05T08:24:01.732093+00:00 | Debian Importer | Affected by | VCID-7j8d-dux3-aaaa | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T08:23:54.050367+00:00 | Debian Importer | Affected by | VCID-7j8d-dux3-aaaa | None | 34.0.0rc1 |
| 2024-01-05T07:57:12.488415+00:00 | Debian Importer | Affected by | VCID-y163-ytv8-aaad | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T07:56:58.760816+00:00 | Debian Importer | Affected by | VCID-y163-ytv8-aaad | None | 34.0.0rc1 |
| 2024-01-05T07:56:44.659435+00:00 | Debian Importer | Affected by | VCID-ptfv-zjv6-aaad | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T07:56:25.907736+00:00 | Debian Importer | Affected by | VCID-ptfv-zjv6-aaad | None | 34.0.0rc1 |
| 2024-01-05T05:37:49.572908+00:00 | Debian Importer | Affected by | VCID-fz5g-qsdx-aaah | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T05:37:45.958164+00:00 | Debian Importer | Affected by | VCID-fz5g-qsdx-aaah | None | 34.0.0rc1 |
| 2024-01-05T05:33:46.830181+00:00 | Debian Importer | Affected by | VCID-nk4q-jbuf-aaac | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-05T05:33:33.778885+00:00 | Debian Importer | Affected by | VCID-nk4q-jbuf-aaac | None | 34.0.0rc1 |
| 2024-01-04T11:47:36.860547+00:00 | Debian Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-04T11:47:23.917736+00:00 | Debian Importer | Affected by | VCID-9ee5-xkhm-aaad | None | 34.0.0rc1 |
| 2024-01-04T11:46:51.661628+00:00 | Debian Importer | Affected by | VCID-naz1-7t8w-aaar | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-04T11:46:47.334607+00:00 | Debian Importer | Affected by | VCID-naz1-7t8w-aaar | None | 34.0.0rc1 |