Search for packages
| purl | pkg:deb/ubuntu/curl@7.14.0-2ubuntu1 |
| Next non-vulnerable version | 7.68.0-1ubuntu2.7 |
| Latest non-vulnerable version | 7.68.0-1ubuntu2.7 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1466-kdnq-aaab
Aliases: CVE-2015-3143 |
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. |
Affected by 58 other vulnerabilities. |
|
VCID-1z5w-2awv-aaaj
Aliases: CVE-2018-16890 |
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. |
Affected by 19 other vulnerabilities. |
|
VCID-2297-mgsv-aaaa
Aliases: CVE-2017-8816 |
The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. |
Affected by 34 other vulnerabilities. |
|
VCID-2zq2-qsgf-aaaj
Aliases: CVE-2021-22898 |
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. |
Affected by 2 other vulnerabilities. |
|
VCID-31vw-y2nq-aaas
Aliases: CVE-2016-8616 |
A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-4fah-w821-aaap
Aliases: CVE-2017-1000100 |
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. |
Affected by 52 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-4s5t-spku-aaar
Aliases: CVE-2018-1000007 |
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. |
Affected by 56 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-4t2f-bfv9-aaan
Aliases: CVE-2017-1000257 |
An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded. |
Affected by 56 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-54bc-cejm-aaaq
Aliases: CVE-2019-3822 |
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. |
Affected by 19 other vulnerabilities. |
|
VCID-5fs1-75pg-aaah
Aliases: CVE-2018-0500 |
Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value). |
Affected by 31 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-5t39-fany-aaan
Aliases: CVE-2020-8177 |
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-61j5-aj1z-aaaq
Aliases: CVE-2021-22924 |
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. |
Affected by 2 other vulnerabilities. |
|
VCID-6evx-pnm1-aaag
Aliases: CVE-2016-8622 |
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-6qjg-v45t-aaam
Aliases: CVE-2021-22925 |
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. |
Affected by 2 other vulnerabilities. |
|
VCID-7br9-fvxx-aaaj
Aliases: CVE-2016-7141 |
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-7y9x-jdpb-aaaq
Aliases: CVE-2018-1000122 |
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage |
Affected by 53 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-848q-hvjb-aaam
Aliases: CVE-2015-3148 |
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. |
Affected by 58 other vulnerabilities. |
|
VCID-84am-t26m-aaan
Aliases: CVE-2016-8619 |
The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-858y-3due-aaaf
Aliases: CVE-2016-8615 |
A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-8gu1-r7rm-aaaq
Aliases: CVE-2016-0755 |
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. |
Affected by 57 other vulnerabilities. |
|
VCID-8n1u-u1zp-aaac
Aliases: CVE-2019-5482 |
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. |
Affected by 16 other vulnerabilities. |
|
VCID-9ndg-1sj3-aaab
Aliases: CVE-2020-8284 |
Affected by 9 other vulnerabilities. |
|
|
VCID-9q2e-1vc3-aaae
Aliases: CVE-2019-3823 |
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. |
Affected by 15 other vulnerabilities. |
|
VCID-a5a7-essu-aaah
Aliases: CVE-2020-8286 |
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. |
Affected by 9 other vulnerabilities. |
|
VCID-bat6-t5kp-aaam
Aliases: CVE-2016-9586 |
curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. |
Affected by 52 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-bep2-u3nm-aaah
Aliases: CVE-2016-8617 |
The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-c6sg-qvhv-aaac
Aliases: CVE-2016-5419 |
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. |
Affected by 54 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-cjbd-4xhr-aaae
Aliases: CVE-2018-1000300 |
curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0. |
Affected by 53 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-d49w-zdjv-aaas
Aliases: CVE-2018-1000301 |
curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. |
Affected by 56 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-d75n-q9b7-aaah
Aliases: CVE-2016-5420 |
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. |
Affected by 54 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-daac-sxbr-aaas
Aliases: CVE-2017-1000254 |
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. |
Affected by 52 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-dad3-naak-aaaj
Aliases: CVE-2018-1000005 |
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. |
Affected by 32 other vulnerabilities. |
|
VCID-dz47-c3tm-aaap
Aliases: CVE-2021-22890 |
Affected by 6 other vulnerabilities. |
|
|
VCID-farc-u5hj-aaaq
Aliases: CVE-2016-8625 |
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host. |
Affected by 31 other vulnerabilities. |
|
VCID-frk2-nvdc-aaap
Aliases: CVE-2015-3145 |
The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character. |
Affected by 58 other vulnerabilities. |
|
VCID-fth4-rgkf-aaam
Aliases: CVE-2019-5436 |
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. |
Affected by 18 other vulnerabilities. |
|
VCID-gjhf-ks5f-aaag
Aliases: CVE-2016-8623 |
A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-gk8w-7smm-aaac
Aliases: CVE-2021-22947 |
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. |
Affected by 0 other vulnerabilities. |
|
VCID-gm8s-9m9y-aaar
Aliases: CVE-2018-14618 |
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) |
Affected by 56 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-gs8e-s85k-aaaq
Aliases: CVE-2017-8817 |
The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. |
Affected by 56 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-h6eq-ce8f-aaak
Aliases: CVE-2016-8624 |
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-j8eq-c91u-aaan
Aliases: CVE-2021-22945 |
When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. |
Affected by 2 other vulnerabilities. |
|
VCID-jsdv-xy4r-aaam
Aliases: CVE-2014-8150 |
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. |
Affected by 61 other vulnerabilities. |
|
VCID-juzu-eydf-aaaa
Aliases: CVE-2018-16840 |
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. |
Affected by 23 other vulnerabilities. |
|
VCID-mjks-tkp5-aaar
Aliases: CVE-2021-22946 |
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. |
Affected by 0 other vulnerabilities. |
|
VCID-mmab-matt-aaaj
Aliases: CVE-2017-1000101 |
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`. |
Affected by 52 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-njss-xaxg-aaab
Aliases: CVE-2020-8231 |
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. |
Affected by 12 other vulnerabilities. |
|
VCID-nn2j-we1s-aaaa
Aliases: CVE-2020-8169 |
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-prru-3ys1-aaap
Aliases: CVE-2015-3144 |
The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." |
Affected by 61 other vulnerabilities. |
|
VCID-qeam-padc-aaap
Aliases: CVE-2018-1000121 |
A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service |
Affected by 53 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-qk4h-sd4m-aaaa
Aliases: CVE-2014-3613 |
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. |
Affected by 64 other vulnerabilities. |
|
VCID-spj8-2b9e-aaab
Aliases: CVE-2019-5481 |
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. |
Affected by 16 other vulnerabilities. |
|
VCID-swr2-25qk-aaan
Aliases: CVE-2017-7407 |
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. |
Affected by 52 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-tcgh-wx7h-aaae
Aliases: CVE-2016-8621 |
The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-tgaa-yvya-aaan
Aliases: CVE-2018-1000120 GHSA-674j-7m97-j2p9 |
A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. |
Affected by 53 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-tjzf-1k67-aaam
Aliases: CVE-2016-8618 |
The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-tv5p-yzmm-aaab
Aliases: CVE-2014-3707 |
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. |
Affected by 63 other vulnerabilities. |
|
VCID-tz5z-xncu-aaaf
Aliases: CVE-2021-22901 |
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. |
Affected by 6 other vulnerabilities. |
|
VCID-uhyn-bd8d-aaak
Aliases: CVE-2018-16842 |
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. |
Affected by 55 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-vzhv-uppf-aaar
Aliases: CVE-2014-3620 |
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. |
Affected by 64 other vulnerabilities. |
|
VCID-w6x7-ya8u-aaaj
Aliases: CVE-2016-5421 |
Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. |
Affected by 54 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-wjdy-shr9-aaah
Aliases: CVE-2020-8285 |
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. |
Affected by 9 other vulnerabilities. |
|
VCID-wyw1-r84q-aaac
Aliases: CVE-2021-22876 |
Affected by 6 other vulnerabilities. |
|
|
VCID-x2zp-e3mj-aaas
Aliases: CVE-2016-7167 |
Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-ygm6-kywu-aaap
Aliases: CVE-2018-16839 |
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. |
Affected by 55 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-yvt4-4g2z-aaag
Aliases: CVE-2016-8620 |
The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input. |
Affected by 45 other vulnerabilities. Affected by 42 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|