{ "schema_version": "1.5.0", "id": "CURL-CVE-2005-4077", "aliases": [ "CVE-2005-4077" ], "summary": "URL Buffer Overflow", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-4077.json", "www": "https://curl.se/docs/CVE-2005-4077.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.15.0", "severity": "High" }, "published": "2005-12-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.2"}, {"fixed": "7.15.1"} ] } ], "versions": [ "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2" ] } ], "credits": [ { "name": "Stefan Esser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Wilfried Weissmann", "type": "OTHER" } ], "details": "libcurl's URL parser function can overflow a heap based buffer in two ways, if\ngiven a too long URL.\n\nThese overflows happen if you\n\n 1 - pass in a URL with no protocol (like \"http://\") prefix, using no slash\n and the string is 256 bytes or longer. This leads to a single zero byte\n overflow of the heap buffer.\n\n 2 - pass in a URL with only a question mark as separator (no slash) between\n the host and the query part of the URL. This leads to a single zero byte\n overflow of the heap buffer.\n\nBoth overflows can be made with the same input string, leading to two single\nzero byte overwrites.\n\nThe affected flaw cannot be triggered by a redirect, but the long URL must be\npassed in \"directly\" to libcurl. It makes this a \"local\" problem. Of course,\nlots of programs may still pass in user-provided URLs to libcurl without doing\nmuch syntax checking of their own, allowing a user to exploit this\nvulnerability." }